Skip to content

Commit

Permalink
feat(spdx): Allow LicenseRef- exceptions for licenseInfoInFiles
Browse files Browse the repository at this point in the history
SPDX v2 does not allow using custom (`LicenseRef-`) IDs as exceptions
and an SPDX expression. Whether / how that could be supported in future
is currently being discussed, see [1].

When the SPDX reporter creates an SPDX document containing `LicenseRef-`
exceptions it crashes due to an exception from
`SpdxExpression.validate()`. The only SPDX V2 compliant option for
preventing that crash is to come up with a whole new `LicenseRef-`
license ID which denotes a text containing both, the license and the
exception.

As a simple, maybe short term solution, relax the check so that the
reporter no more crashes. This violates the SPDX v2 spec, but keeps
the information about the association of the license and the exception.
Users then patch up the license finding using a license finding curation
to assign a dedicated custom license ID.

[1] spdx/change-proposal#4

Signed-off-by: Marcel Bochtler <marcel.bochtler@bosch.com>
  • Loading branch information
MarcelBochtler authored and fviernau committed Aug 22, 2023
1 parent c141107 commit 47e1541
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion utils/spdx/src/main/kotlin/model/SpdxFile.kt
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import com.fasterxml.jackson.annotation.JsonProperty

import org.ossreviewtoolkit.utils.spdx.SpdxConstants
import org.ossreviewtoolkit.utils.spdx.SpdxConstants.REF_PREFIX
import org.ossreviewtoolkit.utils.spdx.SpdxExpression
import org.ossreviewtoolkit.utils.spdx.isSpdxExpressionOrNotPresent

/**
Expand Down Expand Up @@ -187,7 +188,9 @@ data class SpdxFile(

// TODO: The check for [licenseInfoInFiles] can be made more strict, but the SPDX specification is not exact
// enough yet to do this safely.
licenseInfoInFiles.filterNot { it.isSpdxExpressionOrNotPresent() }.let {
licenseInfoInFiles.filterNot {
it.isSpdxExpressionOrNotPresent(SpdxExpression.Strictness.ALLOW_LICENSEREF_EXCEPTIONS)
}.let {
require(it.isEmpty()) {
"The entries in licenseInfoInFiles must each be either an SpdxExpression, 'NONE' or 'NOASSERTION', " +
"but found ${it.joinToString()}."
Expand Down

0 comments on commit 47e1541

Please sign in to comment.