Packages being flagged incorrectly with invalid SPDX license definitions #809
Description
Hi, We have 4 dependency packages being upgraded which are using extensive Dual licensing. I have recently updated my config file to accommodate the flagged license identifiers as well. Still we are getting "Invalid SPDX license" for all of them.
| Package | Version | License | Issue Type |
|---|---|---|---|
| jmespath | 0.16.0 | Apache-2.0 AND MIT | Invalid SPDX License |
| pako | 1.0.11 | MIT AND Zlib | Invalid SPDX License |
| sprintf-js | 1.0.3 | BSD-3-Clause AND BSD-3-Clause-Clear | Invalid SPDX License |
| stream-buffers | 3.0.3 | Unlicense | Invalid SPDX License |
My dependency review workflow looks like this
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
config-file: 'security-config/dependency-review-config.yml'
My config file has these licenses already allowed:
Allowed Licenses:
- BSD-2-Clause
- BSD-3-Clause
- MIT
- Apache-2.0
- PSF-2.0
- ISC
- HPND
- CC0-1.0
- 0BSD
- PSF-2.0
- Python-2.0
- WTFPL
- LGPL-3.0
- Apache-2.0 and MIT
- MIT AND Zlib
- BSD-3-Clause AND BSD-3-Clause-Clear
- Unlicense
Additionally, I also checked the license identifiers using license-expression validator but it found no issues with any of the identifiers.
Please provide a prompt reason for the failure as the dependency review workflow is not helping us in resolving this at all.