Revert "Merge pull request #916 from jebeaudet/spdx-support"

This reverts commit 5a5d4df8ad, reversing
changes made to 67d4f4bd7a.
This commit is contained in:
Kevin Dangoor
2025-05-05 18:43:46 -04:00
parent 5a5d4df8ad
commit a87294d992
4 changed files with 6 additions and 138 deletions
+1 -121
View File
@@ -21,6 +21,7 @@ const npmChange: Change = {
}
]
}
const rubyChange: Change = {
change_type: 'added',
manifest: 'Gemfile.lock',
@@ -100,105 +101,6 @@ beforeEach(async () => {
jest.resetModules()
})
test('it should handle SPDX expressions in allow-list that matches a single license project', async () => {
const change: Change = getChangeWithLicense('MIT')
const changes: Changes = [change]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['EPL-1.0 OR MIT']
})
expect(forbidden).toStrictEqual([])
})
test('it should handle SPDX expressions in allow-list with operators and a valid triple licensed project', async () => {
const change: Change = getChangeWithLicense(
'EPL-1.0 AND LGPL-2.1 AND LGPL-2.1-only'
)
const changes: Changes = [change]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['EPL-1.0 AND LGPL-2.1 AND LGPL-2.1-only']
})
expect(forbidden).toStrictEqual([])
})
test('it should handle a valid triple licensed project that does not have a match in the allow-list', async () => {
const change = getChangeWithLicense('EPL-1.0 AND LGPL-2.1 AND LGPL-2.1-only')
const changes: Changes = [change]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['EPL-1.0', 'LGPL-2.1', 'LGPL-2.1-only']
})
expect(forbidden[0]).toBe(change)
expect(forbidden.length).toEqual(1)
})
test('it should handle license with OR SPDX expression and only match on one license in the allow-list', async () => {
const change = getChangeWithLicense('EPL-1.0 OR LGPL-2.1')
const changes: Changes = [change]
for (const allowedLicense of ['EPL-1.0', 'LGPL-2.1']) {
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: [allowedLicense]
})
expect(forbidden).toStrictEqual([])
}
})
test('it should handle SPDX expressions in allow-list with operators when license matches', async () => {
const changes: Changes = [
npmChange // MIT license
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['MIT OR Apache-2.0', 'MIT', 'BSD-3-Clause']
})
expect(forbidden).toStrictEqual([])
})
test('it should handle SPDX expressions in allow-list with operators when license does not match', async () => {
const changes: Changes = [
npmChange // MIT license
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['MIT AND Apache-2.0', 'BSD-3-Clause']
})
expect(forbidden[0]).toBe(npmChange)
expect(forbidden.length).toEqual(1)
})
test('it should handle SPDX expressions in deny-list with operators when license matches deny list entry', async () => {
const changes: Changes = [
npmChange // MIT license
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
deny: ['MIT OR Apache-2.0', 'BSD-3-Clause']
})
expect(forbidden[0]).toBe(npmChange)
expect(forbidden.length).toEqual(1)
})
test('it should handle SPDX expressions in deny-list with operators when license does not match any deny list entry', async () => {
const changes: Changes = [
npmChange // MIT license
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
deny: ['MIT AND Apache-2.0', 'BSD-3-Clause']
})
expect(forbidden).toStrictEqual([])
})
test('it adds license outside the allow list to forbidden changes', async () => {
const changes: Changes = [
npmChange, // MIT license
@@ -362,25 +264,3 @@ describe('GH License API fallback', () => {
expect(unlicensed.length).toEqual(0)
})
})
function getChangeWithLicense(license: string): Change {
return {
manifest: 'pom.xml',
change_type: 'added',
ecosystem: 'maven',
name: 'dummy-library',
version: '1.0.0',
package_url: 'pkg:org.something:sdummy-library@1.0.0',
license,
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
}
Generated Vendored
+2 -8
View File
@@ -435,10 +435,7 @@ function getInvalidLicenseChanges(changes, licenses) {
try {
if (allow !== undefined) {
if (spdx.isValid(license)) {
let found = false;
for (const allowedLicense of allow) {
found || (found = spdx.satisfies(allowedLicense, license));
}
const found = spdx.satisfiesAny(license, allow);
validityCache.set(license, found);
}
else {
@@ -447,10 +444,7 @@ function getInvalidLicenseChanges(changes, licenses) {
}
else if (deny !== undefined) {
if (spdx.isValid(license)) {
let found = false;
for (const deniedLicense of deny) {
found || (found = spdx.satisfies(deniedLicense, license));
}
const found = spdx.satisfiesAny(license, deny);
validityCache.set(license, !found);
}
else {
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+2 -8
View File
@@ -88,20 +88,14 @@ export async function getInvalidLicenseChanges(
try {
if (allow !== undefined) {
if (spdx.isValid(license)) {
let found = false
for (const allowedLicense of allow) {
found ||= spdx.satisfies(allowedLicense, license)
}
const found = spdx.satisfiesAny(license, allow)
validityCache.set(license, found)
} else {
invalidLicenseChanges.unresolved.push(change)
}
} else if (deny !== undefined) {
if (spdx.isValid(license)) {
let found = false
for (const deniedLicense of deny) {
found ||= spdx.satisfies(deniedLicense, license)
}
const found = spdx.satisfiesAny(license, deny)
validityCache.set(license, !found)
} else {
invalidLicenseChanges.unresolved.push(change)