Jfrog scan does not detect license written in a java file

[usinelogicielle]

Hello,

We're trying to scan a java license written in a java file using the xray analysis features.
To do this, we use jfrog cli for the maven build and for scan.

To Reproduce

jfrog config add <serverIdName> --artifactory-url=https://<artifactoryName>/artifactory --user=<user_from_access_token> --access-token=<token> --enc-password
jfrog rt mvnc --server-id-resolve <serverIdName> --repo-resolve-releases maven --repo-resolve-snapshots maven
jfrog rt bp --server-id <serverIdName> --build-url <buildUrl>

jfrog scan --server-id <serverIdName> --format=json --licenses=true  **/**.jar  > xray_result.json

Here are the example of a java file containing a license:

/*-
 * #%L
 * attribution_licence
 * %%
 * Copyright (C) 2022 TEST
 * %%
 * Redistribution and use in source and binary forms, with or without modification,
 * are permitted provided that the following conditions are met:
 * 
 * 1. Redistributions of source code must retain the above copyright notice, this
 *    list of conditions and the following disclaimer.
 * 
 * 2. Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 * 
 * 3. Neither the name of the TEST nor the names of its contributors
 *    may be used to endorse or promote products derived from this software without
 *    specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * #L%
 */
package org.continuous_security;


import org.apache.commons.fileupload.MultipartStream;

import java.io.ByteArrayInputStream;
import java.io.IOException;

public class Main {

    public static void main(String[] args) {
        byte[] bytes = new byte[256];
        try {
            new MultipartStream(new ByteArrayInputStream(bytes), bytes);
        } catch (IOException ignored) {
        }
        System.out.println("Program completed.");
    }
}

The result of the Xray scan of the java file shows that no license was found.

Is it normal for the Xray scan not to detect license inside a Java file ?

[eranturgeman]

Hello @usinelogicielle, and thank you for using our product!
The behavior you are experiencing is expected. Xray scan doesn’t detect licenses in every file.
Our mechanism searches for certain files and names/prefixes based on the technology detected in the project. To ensure efficiency, we do not scan every file for license content. Each technology has specific criteria for identifying ‘candidate’ files likely to contain license information, and only those files are scanned.

The files where you placed your license information likely do not meet these criteria, so they were not scanned for licenses. I hope this clarifies everything. If you have any further questions about this topic, please feel free to ask!