Incorrect detection of license per file

[kikofernandez]

What happened:

I run bom generate -erlang-otp.spdx . over the Erlang/OTP programming language repository.
It generates a source SBOM as expected, but the license included in each *.erl file is not detected correctly.

What you expected to happen:

As an example, the file in otp/lib/stdlib/src/lists.erl starts as follows:

%%
%% %CopyrightBegin%
%%
%% Copyright Ericsson AB 1996-2024. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%%     http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%
%% %CopyrightEnd%
%%

I expected bom to detect the license, but it does not, as follows from the bom output:

Relationship: SPDXRef-Package-otp CONTAINS SPDXRef-File-otp-lib-stdlib-src-pool.erl
FileName: lib/stdlib/src/lists.erl
SPDXID: SPDXRef-File-otp-lib-stdlib-src-lists.erl
FileChecksum: SHA1: ed83acc4dbe57afadfa6fdd9a89bf48b4a949d00
FileChecksum: SHA256: 41e25e2bb15f88ee6f68e90d1d0b9751fac0b3781af0b43682b5b565220c4a20
FileChecksum: SHA512: a52aa62c5acba64562d642f2d628d222d948961ff1f9fb1d37ec9efc90dd76f8621a9574448782f30e7cadbb78a393b7b70fa203586dc53e6160113cf66c08d1
FileType: OTHER
LicenseConcluded: MIT
LicenseInfoInFile: NONE
FileCopyrightText: NOASSERTION

How to reproduce it (as minimally and precisely as possible):

git clone git@github.com:erlang/otp.git
cd otp
bom generate -erlang-otp.spdx .

The file lib/stdlib/src/lists.erl contains a license,
but the generated output does not show that, instead shows MIT and field LicenseInfoInFile: NONE.

Anything else we need to know?:

Thanks for this product.

Environment:

• OS: Ubuntu 22.04.5 LTS
• Kernel: Linux XXX 6.8.0-45-generic #45~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Sep 11 15:25:05 UTC 2 x86_64 GNU/Linux

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[kikofernandez]

/remove-lifecycle stale

[deftdawg]

I also didn't have any luck getting bom to detect licenses for anything... Returns MIT for everything 😦

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale