"As Found License Text" shows the library location inside the build.
"As Found License Text" shows the path in the build where we pull the third party libraries in addition to the license text. The same information is found under "Notes" -> "Detection Notes" but unlike the "As Found License Text", the info in the Detection Notes is kept private.
I would like to know if there are plans to remove the library path information from the "As Found License Text".
Hello @lpopescu ,
The intent of keeping the library path in the 'As Found License Text' is to reduce the work needed on building the Notices Text where you may need the source of the license and all you need to do is copy the text from As Found license to Notices and start editing to your liking.
May I know any specific reasons why you wish to NOT have the library in the As Found License Text field.
According to FNCI.2019.R2 Release Notes:"...if the Notices Text field is empty, Code Insight uses the contents of the As-Found License Text field as the “notices” text for the inventory item in the report. If both fields are empty, the report uses the inventory item’s selected license text from the FlexNet Code Insight data library"
RE: "May I know any specific reasons why you wish to NOT have the library path in the As Found License Text field."
- "As-Found License Text" should only reference the "legal" License Text. By referencing the path to the license file, the box becomes "Auditing Notes". Our customers do not care to know the Library path but rather they are interested into the license text only.
- It's a different behavior from FNCI V6 vs.V7.
In V6 the As-Found License Text, was populated with license text and other license evidence, but it would not be automatically included with the License text unless you click on the As-Found License Text field. Also in V6 when Palamida automatically populated the Notices and License boxes (e.g.npm's), it only included the "legal" License information.
In V7, you are automatically including into the As-Found License Box the License text and the License path as the de-facto license, unless we physically populate the Notices field by copy/paste the license text into the Notices field.
It feels to me this is slowing down the review of licenses rather then improving it since we'll have to copy/paste every third party library license info into the notices field. (We deal with thousand of third party licenses in out products)
Now if you would have left out the Library path, we would not have to do any extra steps, but accept is as the de-facto license.
Can I ask you why you decided to duplicate the file path in two places in FNCI-2019.R2 ? The file path is listed in the "As-Found License Text" box as well as in the " Detection Notes" and the latter is where it belongs (IMHO).
Thanks for the detailed writeup and feedback. It helps us improve the product.
A couple of points
1. Report generation: Following a hierarchy as Notices Text > As Found License Text -> Selected License is not something new that was added in 2019 R2. This has been the case for a long time. Outside of the file path, do you see a challenge with this order?
2. File Path: Technically, including a file path in the As-Found License Text is also not new in 2019 R2. This functionality was available for those inventory that were created by our Auto-Writeup rules. For example, if you scan "struts2-core-2.3.1.jar", in the resulting inventory, the As-Found-License would be below
Sample from LICENSE.txt in sPortal1.0/sPortal1.0/Jars/struts2-core-2.3.1.jar in the materials Apache License Version 2.0, January 2004 http://www.apache.org/licenses/
This functionality existed for a long time. In 2019 R2, we retained the same template that most of our customers have been using and replaced the short text from the above to full license text so that an auditor doesn't have to fetch full text from elsewhere. We extended the same capability to other detection techniques.
Having said the above, we really appreciate the feedback and will discuss this internally if this would be an unpleasant experience for everyone.
Thank you Venkat,
Not having the extra path info in the "As-Found License Text" will help tremendously. For security reasons we don't like to divulge paths inside our product builds.
The way is right now, we'll have to go through every single component, and perform a copy/paste into the Notices field without the path. (We can have from hundreds to thousands of components per product).
Please see another reason why the "As Found License Text" should not contain extra information that does not pertain to the License text.
Docker scan plugins are Inventory only projects, and does not allow modification of any text fields.