Non-open source code in this repo

[omajid]

There's a number of files in this repository that include license headers that restrict the usage of those files:

/*!
* Note: While Microsoft is not the author of this script file, Microsoft
* grants you the right to use this file for the sole purpose of either: 
* (i) interacting through your browser with the Microsoft website, subject 
* to the website's terms of use; or (ii) using the files as included with a
* Microsoft product subject to the Microsoft Software License Terms for that
* Microsoft product. Microsoft reserves all other rights to the files not 
* expressly granted by Microsoft, whether by implication, estoppel or
* otherwise. The notices and licenses below are for informational purposes 
* only.

This license restricts what can be done with this file, which seems to run counter to the "No Discrimination Against Fields of Endeavor" requirement of the Open Source Definition and the 4 Essential Freedoms.

https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery-1.6.2-vsdoc.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery.validate-vsdoc.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery-1.6.2.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery.validate.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery-1.6.2.min.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery-ui-1.8.11.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery-1.6.2-vsdoc.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery.validate.min.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery-ui-1.8.11.min.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery.validate-vsdoc.js

[omajid]

cc @tmds

[omajid]

cc @leecow @dleeapho

[omajid]

cc @dseefeld

[omajid]

This code is/was included in the version of Humanizr used in source-build: https://github.com/dotnet/source-build/tree/main/src

Anyone using source-build is at risk of violating the license.

[danmoseley]

cc @Pilchie

[richlander]

Ping ...

That license looks super dated, from a very different time. Do we have a newer version of jquery that we could use for this purpose?

[MichaelSimons]

Ping - We are nearing the end of 7.0. Is this something that can get fixed?

[leecow]

@danmoseley - since this is your area now. Can we determine if any outstanding questions are preventing us from fixing this?

[danmoseley]

@rafikiassumani-msft I see MVC -- does your team own this ? what are your thoughts.

[rafikiassumani-msft]

@danmoseley By reading the conversation in the following issue dotnet/aspnetcore#34785, it looks like @mkArtakMSFT has updated the license for .net7. This might have been backported to .net6 as well. There may not be any outstanding issues, however, I will confirm with Artak.

[mkArtakMSFT]

There have been two aspects of this. One was changes in our own repos (aspnet/jquery-validation-unobtrusive#156, aspnet/jquery-validation-unobtrusive#148, dotnet/aspnetcore#43060, dotnet/aspnetcore#42999). The second was specific to this repo, which @ChrisSfanos has taken on to follow up. Seeing no changes here I assume he had concluded that nothing should be done? @ChrisSfanos, can you confirm, please?

//cc @richlander

[ChrisSfanos]

Thanks @mkArtakMSFT - the team agreed that the proper solution is for an end user to swap out a new version of jQuery that carries the desired license and move forward with that package - thanks!

[danmoseley]

@MichaelSimons is the work here you need completed?

[MichaelSimons]

@danmoseley - yes I believe the work here is done. What needs to happen next is that the .NET product repo(s) that reference Humanizer, need to update their reference version to newer/latest Humanizer. I will track down those repos and open issues.

[MichaelSimons]

This issue should be closed now.

[mthalman]

@omajid - What tools and/or process did you use for finding this? I'm trying to figure out how we can have a more automated way to catch things like this.

[omajid]

@mthalman There's an internal service at Red Hat which uses https://github.com/nexB/scancode-toolkit to scan code for license and copyrights.

[mthalman]

I've been playing with that. Is there some trick to get it to detect this particular finding? When I ran it on one of the example files here, all it said in the results was that it was json and mit licenses. Nothing particularly interesting in the results that would indicate anything to investigate closer.

[omajid]

I've been playing with that. Is there some trick to get it to detect this particular finding?

I just tried it out and you are right. scancode doesn't catch this license :(

It looks like I only caught it because of another scanner (falsely) flagged this file as implementing SEED crypto. On reviewing the file for crypto, I must have seen the license header.

Our scanning tool for crypto looks like a hacky/home-brewed solution, and nothing as robust as scancode :(

[omajid]

Could we take the text here and add it to scancode as another license to identify? https://scancode-toolkit.readthedocs.io/en/stable/how-to-guides/add_new_license.html. And fail if this license is found?