Skip to content

Discard allow list entries that are not SPDX IDs #932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 13, 2025
Merged

Discard allow list entries that are not SPDX IDs #932

merged 1 commit into from
May 13, 2025

Conversation

@dangoor
Copy link
Contributor

@dangoor dangoor commented May 12, 2025

Purpose

The allow-licenses list is expected (and documented) to be a list of
SPDX license IDs (LicenseRefs are also valid). If someone puts an
expression in the list (e.g. "GPL-3.0-only OR MIT"), it should be
discarded so that the whole list does not become invalid.

Related Issues

Closes #907
@dangoor
Discard allow list entries that are not SPDX IDs
6e9307a 
The allow-licenses list is expected (and documented) to be a list of
SPDX license IDs (LicenseRefs are also valid). If someone puts an
expression in the list (e.g. "GPL-3.0-only OR MIT"), it should be
discarded so that the whole list does not become invalid.

Fixes #907
Copilot AI review requested due to automatic review settings May 12, 2025 23:01
@dangoor dangoor requested a review from a team as a code owner May 12, 2025 23:01
Copilot AI reviewed May 12, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR ensures that the allow list only contains simple SPDX IDs by discarding SPDX expressions with logical operators.

  • Filter out allow-list entries containing AND or OR
  • Preserve deny logic unchanged
  • Add a test to verify that expressions in the allow list do not trigger forbidden changes

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
src/licenses.ts Filter out AND/OR expressions from the allow list
tests/licenses.test.ts Add test confirming expressions are ignored
Comments suppressed due to low confidence (2)

tests/licenses.test.ts:293

  • [nitpick] The test name is ambiguous about the behavior. Rename it to something like 'ignores license expressions in the allow list' to clearly state the intended outcome.
test('it does not fail if there is a license expression in the allow list', async () => {

tests/licenses.test.ts:293

  • Add a test case for entries containing 'WITH' (e.g., 'GPL-2.0-only WITH Classpath-exception-2.0') to ensure all non-simple SPDX expressions are filtered out.
test('it does not fail if there is a license expression in the allow list', async () => {
src/licenses.ts
// or OR because the list should be simple license IDs and
// not expressions.
allow = allow?.filter(license => {
return !license.includes(' AND ') && !license.includes(' OR ')
Copy link

Copilot AI May 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The filter only excludes 'AND' and 'OR' expressions but ignores other expression syntax like 'WITH' or parentheses. Consider using a stricter check (e.g., a regex for simple IDs or spdx.isValid on each entry) to discard all non-simple SPDX IDs.

Suggested change
return !license.includes(' AND ') && !license.includes(' OR ')
return spdx.isValid(license)
Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if the library we're using supports WITH, but technically WITH does not represent a complex expression but rather a single license with an exception (eg GPL-2.0 WITH Classpath). It's better to potentially allow WITH.

I don't think Copilot's suggestion above works because spdx.isValid will allow license expressions and not just IDs.
@dangoor dangoor merged commit d8f2df2 into main May 13, 2025
6 checks passed
@dangoor dangoor deleted the 907-disallow-expression branch May 13, 2025 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@dangoor @ljones140