1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
#!/usr/bin/env python3
"""Filter known false positives from FOSSA test JSON output.
Exit 0 if all issues are documented false positives.
Exit 1 if any genuine issues remain after filtering.
Documented false positives
--------------------------
1. cc, compiler_builtins, wasi (and other Rust compiler infrastructure)
apache-2.0 WITH llvm-exception
The LLVM exception explicitly permits compiling code with these
crates without the Apache-2.0 license applying to the compiled
output. Standard Rust compiler infrastructure; affects every Rust
project. FOSSA flags the "WITH llvm-exception" clause as an
unrecognized license modifier.
2. r-efi LGPL-2.1-or-later
Pure UEFI type definitions (data structures, no executable code).
Pulled in transitively via std on some targets; not linked into the
user binary in any meaningful way.
3. ring openssl-ssleay
ring is ISC-licensed. The OpenSSL-SSLeay marker comes from historical
OpenSSL-derived assembly code that ring inherited. The SSLeay license
is permissive (BSD-style) and compatible with MIT/Apache-2.0 projects.
Pulled in transitively via rustls for TLS support.
4. aws-lc-sys GPL-1.0-only / GPL-1.0-or-later
aws-lc-sys wraps AWS-LC which is Apache-2.0 + ISC licensed. FOSSA
flags GPL because the source tarball includes GPL-licensed test vectors
from OpenSSL. These test files are not compiled into the binary.
Pulled in transitively via rustls/aws-lc-rs for TLS support.
5. security-framework APSL-2.0
security-framework is MIT/Apache-2.0 licensed Rust bindings to Apple's
Security.framework. FOSSA flags APSL-2.0 because the underlying macOS
system library is Apple-licensed, but the crate itself does not bundle
Apple code; it links to the system library at runtime. This is standard
for any Rust crate using native macOS APIs. Pulled in transitively via
rustls-platform-verifier for TLS certificate verification.
"""
# Crates with "apache-2.0 WITH llvm-exception" that FOSSA cannot parse.
# The LLVM exception permits compilation without license propagation.
=
# License IDs that FOSSA uses for the LLVM exception variant.
=
"""Return True if the (package, license, type) tuple is a documented false positive."""
# Rust compiler infrastructure: apache-2.0 WITH llvm-exception
return True
# r-efi: pure type definitions, transitively pulled by std
return True
# ring: ISC-licensed; SSLeay marker from historical OpenSSL assembly
return True
# aws-lc-sys: Apache-2.0/ISC; GPL flags from test vectors in source tarball
return True
# security-framework: MIT/Apache-2.0 bindings; APSL-2.0 is the system library
return True
return False
"""Extract the package name from a FOSSA issue.
FOSSA uses 'revisionId' with format 'cargo+cc$1.0.106'.
Strip the ecosystem prefix and version suffix to get the crate name.
Falls back to 'package' or 'name' fields if revisionId is missing.
"""
=
# Strip ecosystem prefix (e.g., "cargo+", "go+")
=
# Strip version suffix (e.g., "$1.0.106")
=
return
return or or
return 2
=
# fossa test --format json may return a list or an object with an issues key
=
=
=
=
= 0
=
= or or
= or or
+= 1
continue
=
= or
= or
return 1
return 0