Commit Graph

7 Commits

Author SHA1 Message Date
Kevin Dangoor c7565d44ec Fix tests and respond to review feedback 2025-05-06 12:25:30 -04:00
Kevin Dangoor 82299c3bbe Replace OTHER with a LicenseRef
ClearlyDefined uses the string `OTHER` for the declared license when
a human has reviewed `NOASSERTION` text and found it to be a valid
license, but one without an SPDX identifier. `OTHER`, unlike
`NOASSERTION`, is not valid. With this change, when `OTHER` appears
in a license string, we'll replace it with
`LicenseRef-clearlydefined-OTHER`, which _is_ valid and will allow
the expressions to parse.
2025-05-06 11:22:50 -04:00
Kevin Dangoor 3a2b68706a Handle complex licenses (e.g. X AND Y)
There are many packages that are dual-licensed, offering a choice
of licenses (e.g. `MIT OR Apache-2.0`). There are some that include
code from multiple sources and require multiple licenses
(e.g. `MIT AND Apache-2.0`). There are also complex combinations that
can exist for a variety of reasons, such as
`MIT AND (Apache-2.0 OR BSD-3-Clause)`.

The most straightforward approach to handle these is to have an
allow list. As long as the licenses on the allow list can satisfy
the license expression of the package in question, it should pass.

To implement this, I the newest release of spdx-satisfies
which changed the interface to be exactly as described
`satisfies(license, allowList)` (see
https://github.com/jslicense/spdx-satisfies.js/pull/17).

Fixes https://github.com/actions/dependency-review-action/issues/263
2025-05-05 19:06:50 -04:00
Justin Holguín b4ae47ca2c Properly display test failures using jest 2024-06-10 23:07:07 +00:00
Eli Reisman ed624dba72 more SPDX unit tests to illustrate matching behavior 2024-06-10 09:51:01 -07:00
Eli Reisman 2e4eaa490e complete test suite conversions; simplify fn name 2024-06-10 09:51:00 -07:00
Eli Reisman ecd706f525 register spdx lib as ES Module, start converting call sites to use new spdx pkg - TODO: update tests 2024-06-10 09:51:00 -07:00