Exclude binary license files to prevent reporter hang

[Juli0q]

Binary license files are now detected and excluded during license info resolution. In previous cases, such files caused the reporter to enter an endless loop during report generation, as the archiver attempted to include the binary content in the report.

To verify this behavior, a test file named LICENSE-BIN is added to archive.zip. It contains 4 arbitrary bytes created with a hex editor to simulate a non-text license file.

Apache Tika is introduced to detect MIME types and distinguish between text and non-text files. This ensures that only valid, readable license files are processed and included in the final report.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 56.66%. Comparing base (0c6934d) to head (bbcceb9).
Report is 4 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #10109      +/-   ##
============================================
+ Coverage     56.65%   56.66%   +0.01%     
- Complexity     1615     1619       +4     
============================================
  Files           332      332              
  Lines         12277    12281       +4     
  Branches       1138     1139       +1     
============================================
+ Hits           6955     6959       +4     
  Misses         4877     4877              
  Partials        445      445              

Flag	Coverage Δ
funTest-docker	70.89% <ø> (ø)
funTest-non-docker	33.56% <0.00%> (+0.14%)	⬆️
test-ubuntu-24.04	40.62% <100.00%> (+0.02%)	⬆️
test-windows-2022	40.60% <100.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[fviernau]

Mind elaborating on the use case for that? The original use case for these archives was to maintain original license texts for using them in attribution documents. Binary files do not play a role there.

To allow having a feature toggle for the filtering, for the reasons I outlined above. And also if there is a bug in the isBinaryFile() heuristic, it can be more easily fixed.

[sschuberth]

Mind elaborating on the use case for that? The original use case for these archives was to maintain original license texts for using them in attribution documents. Binary files do not play a role there.

To allow having a feature toggle for the filtering, for the reasons I outlined above.

But why implement a feature toggle to begin with? Why ever maintaining binary files as part of the license file archive?

[mnonnenmacher]

I would also prefer to not include license files in the archives at all, even if there is a certain risk that the detection might fail in some cases. That's also missing in this PR, IIUC it currently only throws an exception if an archive already contains a binary file which I guess means that the report will not be created at all. But there is no way to recover from that, because even when the archive file is deleted it will be recreated with the same input an contain a binary file again.

[sschuberth]

Outcomes from today's core dev meeting:

• Binary files should be filtered out before creation of the archive
  • Probably at least log filtered out files
• Implement tests for the binary check
  • Verify correct behavior for UTF8 / UTF16 encoded text files, e.g. with Asian characters
  • Verify that all of ScanCode's license text files are recognized as text
• Revisit the need for Apache Tika; maybe just implement a context-based check ourselves instead

[oheger-bosch]

My points have been addressed, but I would leave the approval to the guys who have been deeper involved in this topic.

[sschuberth]

I'm basically ok with introducing Tika as a dependency now, as I've checked that the library is not huge, and we mostly already use its transitive dependencies elsewhere.

[sschuberth]

Just two final nits.

Comments addressed.

[sschuberth]

Looks like this does not work as expected. Can you have a look at that thread in Slack, @Juli0q?