insufficient confidence threshold when identifying a BSD 2-Clause like license

[melinath]

I am getting different results from running go-licenses on the same repository and hardware, even though as far as I can tell nothing has changed in the relevant code in between. This is blocking changes to https://github.com/GoogleCloudPlatform/terraform-validator

Successful run (2023-03-21)

``` cd .. && go version && go install github.com/google/go-licenses@latest go version go1.18.3 linux/amd64 go: downloading github.com/google/go-licenses v1.6.0 go: downloading github.com/spf13/cobra v1.6.0 go: downloading github.com/otiai10/copy v1.6.0 go: downloading golang.org/x/text v0.6.0 go: downloading k8s.io/klog/v2 v2.80.1 go: downloading golang.org/x/tools v0.5.0 go: downloading gopkg.in/src-d/go-git.v4 v4.13.1 go: downloading github.com/google/licenseclassifier v0.0.0-20210722185704-3043a050f148 go: downloading go.opencensus.io v0.23.0 go: downloading golang.org/x/net v0.5.0 go: downloading golang.org/x/mod v0.7.0 go: downloading github.com/go-logr/logr v1.2.0 go: downloading github.com/sergi/go-diff v1.2.0 go: downloading golang.org/x/crypto v0.1.0 go: downloading gopkg.in/src-d/go-billy.v4 v4.3.2 go: downloading golang.org/x/sys v0.4.0 go: downloading github.com/emirpasic/gods v1.12.0 go: downloading github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 go: downloading github.com/src-d/gcfg v1.4.0 go: downloading github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd go: downloading github.com/xanzy/ssh-agent v0.2.1 go: downloading gopkg.in/warnings.v0 v0.1.2 $(go env GOPATH)/bin/go-licenses check . W0321 17:49:07.715821 1262 library.go:101] "golang.org/x/sys/unix" contains non-Go code that can't be inspected for further dependencies: /builder/home/go/pkg/mod/golang.org/x/sys@v0.0.0-20221010170243-090e33056c14/unix/asm_linux_amd64.s W0321 17:49:22.705397 1262 library.go:101] "github.com/modern-go/reflect2" contains non-Go code that can't be inspected for further dependencies: /builder/home/go/pkg/mod/github.com/modern-go/reflect2@v1.0.2/reflect2_amd64.s /builder/home/go/pkg/mod/github.com/modern-go/reflect2@v1.0.2/relfect2_mips64x.s /builder/home/go/pkg/mod/github.com/modern-go/reflect2@v1.0.2/relfect2_mipsx.s /builder/home/go/pkg/mod/github.com/modern-go/reflect2@v1.0.2/relfect2_ppc64x.s W0321 17:49:29.072382 1262 library.go:101] "github.com/cespare/xxhash/v2" contains non-Go code that can't be inspected for further dependencies: /builder/home/go/pkg/mod/github.com/cespare/xxhash/v2@v2.1.2/xxhash_amd64.s ```

Failed run (2023-03-17)

``` cd .. && go version && go install github.com/google/go-licenses@latest go version go1.18.3 linux/amd64 go: downloading github.com/google/go-licenses v1.6.0 go: downloading github.com/spf13/cobra v1.6.0 go: downloading github.com/otiai10/copy v1.6.0 go: downloading golang.org/x/text v0.6.0 go: downloading k8s.io/klog/v2 v2.80.1 go: downloading github.com/google/licenseclassifier v0.0.0-20210722185704-3043a050f148 go: downloading golang.org/x/tools v0.5.0 go: downloading gopkg.in/src-d/go-git.v4 v4.13.1 go: downloading go.opencensus.io v0.23.0 go: downloading golang.org/x/net v0.5.0 go: downloading github.com/go-logr/logr v1.2.0 go: downloading golang.org/x/mod v0.7.0 go: downloading github.com/sergi/go-diff v1.2.0 go: downloading golang.org/x/crypto v0.1.0 go: downloading gopkg.in/src-d/go-billy.v4 v4.3.2 go: downloading golang.org/x/sys v0.4.0 go: downloading github.com/emirpasic/gods v1.12.0 go: downloading github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 go: downloading github.com/src-d/gcfg v1.4.0 go: downloading github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd go: downloading github.com/xanzy/ssh-agent v0.2.1 go: downloading gopkg.in/warnings.v0 v0.1.2 $(go env GOPATH)/bin/go-licenses check . W0317 21:32:52.305249 1276 library.go:101] "golang.org/x/sys/unix" contains non-Go code that can't be inspected for further dependencies: /builder/home/go/pkg/mod/golang.org/x/sys@v0.5.0/unix/asm_linux_amd64.s E0317 21:33:03.529136 1276 library.go:122] Failed to find license for github.com/dnaeon/go-vcr/cassette: cannot find a known open source license for "/builder/home/go/pkg/mod/github.com/dnaeon/go-vcr@v1.0.1/cassette" whose name matches regexp ^(?i)((UN)?LICEN(S|C)E|COPYING|README|NOTICE).*$ and locates up until "/builder/home/go/pkg/mod/github.com/dnaeon/go-vcr@v1.0.1" E0317 21:33:03.612427 1276 library.go:122] Failed to find license for github.com/dnaeon/go-vcr/recorder: cannot find a known open source license for "/builder/home/go/pkg/mod/github.com/dnaeon/go-vcr@v1.0.1/recorder" whose name matches regexp ^(?i)((UN)?LICEN(S|C)E|COPYING|README|NOTICE).*$ and locates up until "/builder/home/go/pkg/mod/github.com/dnaeon/go-vcr@v1.0.1" W0317 21:33:03.832914 1276 library.go:101] "golang.org/x/crypto/curve25519/internal/field" contains non-Go code that can't be inspected for further dependencies: /builder/home/go/pkg/mod/golang.org/x/crypto@v0.0.0-20220517005047-85d78b3ac167/curve25519/internal/field/fe_amd64.s W0317 21:33:03.847191 1276 library.go:101] "golang.org/x/crypto/internal/poly1305" contains non-Go code that can't be inspected for further dependencies: /builder/home/go/pkg/mod/golang.org/x/crypto@v0.0.0-20220517005047-85d78b3ac167/internal/poly1305/sum_amd64.s W0317 21:33:06.620610 1276 library.go:101] "github.com/modern-go/reflect2" contains non-Go code that can't be inspected for further dependencies: /builder/home/go/pkg/mod/github.com/modern-go/reflect2@v1.0.2/reflect2_amd64.s /builder/home/go/pkg/mod/github.com/modern-go/reflect2@v1.0.2/relfect2_mips64x.s /builder/home/go/pkg/mod/github.com/modern-go/reflect2@v1.0.2/relfect2_mipsx.s /builder/home/go/pkg/mod/github.com/modern-go/reflect2@v1.0.2/relfect2_ppc64x.s W0317 21:33:13.365681 1276 library.go:101] "github.com/cespare/xxhash/v2" contains non-Go code that can't be inspected for further dependencies: /builder/home/go/pkg/mod/github.com/cespare/xxhash/v2@v2.2.0/xxhash_amd64.s Unknown license type found for library github.com/dnaeon/go-vcr/cassette Unknown license type found for library github.com/dnaeon/go-vcr/recorder ```

[Bobgy]

Hi @melinath
I can stably reproduce your failure. Not sure why it can pass on your side.

The error message is a bit unclear, it basically means go-licenses didn't find licenses for the two mentioned libraries.

[Bobgy]

I verified this is a confidence threshold problem when identifying the license.

If you add the following flag, it will pass:

$(go env GOPATH)/bin/go-licenses check . --confidence_threshold 0.7

go-licenses is still using google/licenseclassifier v1, if we upgrade to v2, it can get more accurate.

[Bobgy]

The mentioned license text looks like BSD 2-Clause, but the wording is slightly different.

Compare: https://opensource.org/license/bsd-2-clause/ and https://github.com/dnaeon/go-vcr/blob/v3/LICENSE