This gives me severe flashbacks to clueless clients/PMs. We had projects we had to run through Black Duck -- "No open source code."
The reference implementation of the Mersenne Twister was once GPL, although it wasn't anymore at that time. Still, there are only so many ways you can implement a Mersenne Twister. So my implementation got flagged.
Worse thing is sometimes getting 30 different projects with the same snippet of code but the code was written by neither, it was simply copied from Stackoverflow and then applied by each developer on their code.
Have you had a chance of trying out the report?
If you are scanning open source, there is a trick to ignore matches from the repository where it comes from.
Just create a file called "ignore.txt" inside the samples folder and on that file include the keywords that blacklist positive matches. For example, if scanning the "Adblock Plus" code then add as keyword "adblockplus" on the ignore.txt file and no matches from repositories containing "adblockplus" on their URL will be listed.
Works good for discovering which parts of an already open source project are not really original.
My understanding is that Mersenne Twister is kind of a gold standard for non-cryptographic PRNGs. Linear congruential generators are known to be rather poor, and only ideal where speed is critical and the quality doesn't matter.
The reference implementation of the Mersenne Twister was once GPL, although it wasn't anymore at that time. Still, there are only so many ways you can implement a Mersenne Twister. So my implementation got flagged.