feat(spdx): Allow LicenseRef- exceptions for licenseInfoInFiles

Currently, there is no syntax for custom exceptions to licenses defined in the SPDX specification. Whether / how that could be supported in future is currently being discussed, see [1]. When the SPDX reporter creates an SPDX document containing `LicenseRef-` exceptions it crashes due to an exception from `SpdxExpression.validate()`. The only SPDX V2 compliant option for preventing that crash is to come up with a whole new `LicenseRef-` license ID which denotes a text containing both, the license and the exception. As a simple, maybe short term solution, relax the check so that the reporter no more crashes. This violates the SPDX v2 spec, but keeps the information about the association of the license and the exception. Users then patch up the license finding using a license finding curation to assign a dedicated custom license ID. [1] spdx/change-proposal#4 Signed-off-by: Marcel Bochtler <[email protected]>
oss-review-toolkit · Aug 23, 2023 · aa3959e · aa3959e
1 parent 3475c17
commit aa3959e
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/utils/spdx/src/main/kotlin/model/SpdxFile.kt b/utils/spdx/src/main/kotlin/model/SpdxFile.kt
@@ -25,6 +25,7 @@ import com.fasterxml.jackson.annotation.JsonProperty
 
 import org.ossreviewtoolkit.utils.spdx.SpdxConstants
 import org.ossreviewtoolkit.utils.spdx.SpdxConstants.REF_PREFIX
+import org.ossreviewtoolkit.utils.spdx.SpdxExpression.Strictness.ALLOW_LICENSEREF_EXCEPTIONS
 import org.ossreviewtoolkit.utils.spdx.isSpdxExpressionOrNotPresent
 
 /**
@@ -187,7 +188,7 @@ data class SpdxFile(
 
         // TODO: The check for [licenseInfoInFiles] can be made more strict, but the SPDX specification is not exact
         //       enough yet to do this safely.
-        licenseInfoInFiles.filterNot { it.isSpdxExpressionOrNotPresent() }.let {
+        licenseInfoInFiles.filterNot { it.isSpdxExpressionOrNotPresent(ALLOW_LICENSEREF_EXCEPTIONS) }.let {
             require(it.isEmpty()) {
                 "The entries in licenseInfoInFiles must each be either an SpdxExpression, 'NONE' or 'NOASSERTION', " +
                     "but found ${it.joinToString()}."

diff --git a/utils/spdx/src/main/kotlin/model/SpdxPackage.kt b/utils/spdx/src/main/kotlin/model/SpdxPackage.kt
@@ -23,6 +23,7 @@ import com.fasterxml.jackson.annotation.JsonInclude
 import com.fasterxml.jackson.annotation.JsonProperty
 
 import org.ossreviewtoolkit.utils.spdx.SpdxConstants
+import org.ossreviewtoolkit.utils.spdx.SpdxExpression.Strictness.ALLOW_LICENSEREF_EXCEPTIONS
 import org.ossreviewtoolkit.utils.spdx.isSpdxExpressionOrNotPresent
 
 /**
@@ -218,10 +219,10 @@ data class SpdxPackage(
 
         // TODO: The check for [licenseInfoFromFiles] can be made more strict, but the SPDX specification is not exact
         //       enough yet to do this safely.
-        licenseInfoFromFiles.filterNot { it.isSpdxExpressionOrNotPresent() }.let {
+        licenseInfoFromFiles.filterNot { it.isSpdxExpressionOrNotPresent(ALLOW_LICENSEREF_EXCEPTIONS) }.let {
             require(it.isEmpty()) {
                 "The entries in licenseInfoFromFiles must each be either an SpdxExpression, 'NONE' or 'NOASSERTION', " +
-                        "but found ${it.joinToString()}."
+                    "but found ${it.joinToString()}."
             }
         }
     }