Compare commits

...

7 Commits

Author SHA1 Message Date
Eli Reisman 310ae5f6ae npm run package 2024-06-06 14:34:59 -07:00
Eli Reisman 4fabda986c more SPDX unit tests to illustrate matching behavior 2024-06-06 14:34:55 -07:00
Eli Reisman dfbe08e4d2 update licenses pkg and tests 2024-06-05 23:38:18 -07:00
Eli Reisman 3fc792b939 complete test suite conversions; simplify fn name 2024-06-05 23:38:18 -07:00
Eli Reisman 748dfadbc3 register spdx lib as ES Module, start converting call sites to use new spdx pkg - TODO: update tests 2024-06-05 23:38:18 -07:00
Eli Reisman a97084db22 move jest to dev dependencies 2024-06-05 23:38:14 -07:00
Eli Reisman e7ebeffdf9 add @onebeyond/spdx-license-satisfies to DR Action project 2024-06-05 16:43:46 -07:00
17 changed files with 883 additions and 298 deletions
+8 -16
View File
@@ -1,13 +1,9 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import {getRefs} from '../src/git-refs'
import * as Utils from '../src/utils'
import * as spdx from '../src/spdx'
import {setInput, clearInputs} from './test-helpers'
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
})
beforeEach(() => {
clearInputs()
})
@@ -19,11 +15,11 @@ test('it defaults to low severity', async () => {
test('it reads custom configs', async () => {
setInput('fail-on-severity', 'critical')
setInput('allow-licenses', ' BSD, GPL 2')
setInput('allow-licenses', 'ISC, GPL-2.0')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
expect(config.allow_licenses).toEqual(['ISC', 'GPL-2.0'])
})
test('it defaults to false for warn-only', async () => {
@@ -40,7 +36,7 @@ test('it defaults to empty allow/deny lists ', async () => {
test('it raises an error if both an allow and denylist are specified', async () => {
setInput('allow-licenses', 'MIT')
setInput('deny-licenses', 'BSD')
setInput('deny-licenses', 'BSD-3-Clause')
await expect(readConfig()).rejects.toThrow(
'You cannot specify both allow-licenses and deny-licenses'
@@ -204,21 +200,17 @@ test('it is not possible to disable both checks', async () => {
})
describe('licenses that are not valid SPDX licenses', () => {
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(false)
})
test('it raises an error for invalid licenses in allow-licenses', async () => {
setInput('allow-licenses', ' BSD, GPL 2')
setInput('allow-licenses', ' BSD-YOLO, GPL-2.0')
await expect(readConfig()).rejects.toThrow(
'Invalid license(s) in allow-licenses: BSD,GPL 2'
'Invalid license(s) in allow-licenses: BSD-YOLO'
)
})
test('it raises an error for invalid licenses in deny-licenses', async () => {
setInput('deny-licenses', ' BSD, GPL 2')
setInput('deny-licenses', ' GPL-2.0, BSD-YOLO, Apache-2.0, ToIll')
await expect(readConfig()).rejects.toThrow(
'Invalid license(s) in deny-licenses: BSD,GPL 2'
'Invalid license(s) in deny-licenses: BSD-YOLO, ToIll'
)
})
})
-5
View File
@@ -33,11 +33,6 @@ jest.mock('octokit', () => {
beforeEach(async () => {
jest.resetModules()
jest.doMock('spdx-satisfies', () => {
// mock spdx-satisfies return value
// true for BSD, false for all others
return jest.fn((license: string, _: string): boolean => license === 'BSD')
})
npmChange = createTestChange({ecosystem: 'npm'})
rubyChange = createTestChange({ecosystem: 'rubygems'})
+2 -6
View File
@@ -1,6 +1,6 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import * as Utils from '../src/utils'
import * as spdx from '../src/spdx'
import {setInput, clearInputs} from './test-helpers'
const externalConfig = `fail_on_severity: 'high'
@@ -25,10 +25,6 @@ jest.mock('octokit', () => {
}
})
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
})
beforeEach(() => {
clearInputs()
})
@@ -38,7 +34,7 @@ test('it reads an external config file', async () => {
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
expect(config.allow_licenses).toEqual(['BSD-3-Clause', 'GPL-2.0'])
})
test('raises an error when the config file was not found', async () => {
+2 -2
View File
@@ -1,4 +1,4 @@
fail_on_severity: critical
allow_licenses:
- 'BSD'
- 'GPL 2'
- 'BSD-3-Clause'
- 'GPL-2.0'
+29 -30
View File
@@ -1,7 +1,6 @@
import {expect, jest, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
let getInvalidLicenseChanges: Function
import {getInvalidLicenseChanges} from '../src/licenses'
const npmChange: Change = {
manifest: 'package.json',
@@ -30,7 +29,7 @@ const rubyChange: Change = {
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
license: 'BSD-3-Clause',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
@@ -100,29 +99,32 @@ jest.mock('octokit', () => {
beforeEach(async () => {
jest.resetModules()
jest.doMock('spdx-satisfies', () => {
// mock spdx-satisfies return value
// true for BSD, false for all others
return jest.fn((license: string, _: string): boolean => license === 'BSD')
})
// eslint-disable-next-line @typescript-eslint/no-require-imports
;({getInvalidLicenseChanges} = require('../src/licenses'))
})
test('it adds license outside the allow list to forbidden changes', async () => {
const changes: Changes = [npmChange, rubyChange]
const changes: Changes = [
npmChange, // MIT license
rubyChange // BSD license
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
allow: ['BSD-3-Clause']
})
expect(forbidden[0]).toBe(npmChange)
expect(forbidden.length).toEqual(1)
})
test('it adds license inside the deny list to forbidden changes', async () => {
const changes: Changes = [npmChange, rubyChange]
const changes: Changes = [
npmChange, // MIT license
rubyChange // BSD license
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
deny: ['BSD']
deny: ['BSD-3-Clause']
})
expect(forbidden[0]).toBe(rubyChange)
expect(forbidden.length).toEqual(1)
})
@@ -133,7 +135,7 @@ test('it does not add license outside the allow list to forbidden changes if it
{...rubyChange, change_type: 'removed'}
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
allow: ['BSD-3-Clause']
})
expect(forbidden).toStrictEqual([])
})
@@ -144,7 +146,7 @@ test('it does not add license inside the deny list to forbidden changes if it is
{...rubyChange, change_type: 'removed'}
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
deny: ['BSD']
deny: ['BSD-3-Clause']
})
expect(forbidden).toStrictEqual([])
})
@@ -156,23 +158,18 @@ test('it adds license outside the allow list to forbidden changes if it is in bo
{...rubyChange, change_type: 'removed'}
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
allow: ['BSD-3-Clause']
})
expect(forbidden).toStrictEqual([npmChange])
})
test('it adds all licenses to unresolved if it is unable to determine the validity', async () => {
jest.resetModules() // reset module set in before
jest.doMock('spdx-satisfies', () => {
return jest.fn((_first: string, _second: string) => {
throw new Error('Some Error')
})
})
// eslint-disable-next-line @typescript-eslint/no-require-imports
;({getInvalidLicenseChanges} = require('../src/licenses'))
const changes: Changes = [npmChange, rubyChange]
const changes: Changes = [
{...npmChange, license: 'Foo'},
{...rubyChange, license: 'Bar'}
]
const invalidLicenses = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
allow: ['Apache-2.0']
})
expect(invalidLicenses.forbidden.length).toEqual(0)
expect(invalidLicenses.unlicensed.length).toEqual(0)
@@ -182,7 +179,7 @@ test('it adds all licenses to unresolved if it is unable to determine the validi
test('it does not filter out changes that are on the exclusions list', async () => {
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
allow: ['BSD-3-Clause'],
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
@@ -198,7 +195,7 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
allow: ['BSD-3-Clause'],
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
@@ -212,16 +209,18 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
test('it does filters out changes if they are not on the exclusions list', async () => {
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
allow: ['BSD-3-Clause'],
licenseExclusions: [
'pkg:pypi/notmypackage-1@1.1.1',
'pkg:npm/alsonot@1.0.2'
]
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
licensesConfig
)
expect(invalidLicenses.forbidden.length).toEqual(2)
expect(invalidLicenses.forbidden[0]).toBe(pipChange)
expect(invalidLicenses.forbidden[1]).toBe(npmChange)
+267
View File
@@ -0,0 +1,267 @@
import {expect, test} from '@jest/globals'
import * as spdx from '../src/spdx'
test('satisfiesAny', () => {
const units = [
{
candidate: 'MIT',
licenses: ['MIT'],
expected: true
},
{
candidate: 'MIT OR Apache-2.0',
licenses: ['MIT', 'Apache-2.0'],
expected: true
},
{
candidate: '(MIT AND ISC) OR Apache-2.0',
licenses: ['MIT', 'Apache-2.0'],
expected: true
},
{
candidate: 'MIT AND Apache-2.0',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: 'MIT AND BSD-3-Clause',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
// missing params, case sensitivity, syntax problems,
// or unknown licenses will return 'false'
{
candidate: 'MIT OR',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: '',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: 'MIT OR (Apache-2.0 AND ISC)',
licenses: [],
expected: false
},
{
candidate: 'MIT AND (ISC',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: 'MIT OR ISC',
licenses: ['MiT'],
expected: false
}
]
for (const unit of units) {
let got: boolean = spdx.satisfiesAny(unit.candidate, unit.licenses)
if (got != unit.expected) {
console.log(
`failing unit test inputs: candidate(${unit.candidate}) licenses(${unit.licenses})`
)
}
expect(got).toBe(unit.expected)
}
})
test('satisfiesAll', () => {
const units = [
{
candidate: 'MIT',
licenses: ['MIT'],
expected: true
},
{
candidate: 'Apache-2.0',
licenses: ['MIT', 'ISC', 'Apache-2.0'],
expected: false
},
{
candidate: 'MIT AND Apache-2.0',
licenses: ['MIT', 'Apache-2.0'],
expected: true
},
{
candidate: '(MIT OR ISC) AND Apache-2.0',
licenses: ['MIT', 'Apache-2.0'],
expected: true
},
{
candidate: 'MIT OR BSD-3-Clause',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: 'BSD-3-Clause OR ISC',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: '(MIT AND ISC) OR Apache-2.0',
licenses: ['MIT', 'ISC'],
expected: true
},
// missing params, case sensitivity, syntax problems,
// or unknown licenses will return 'false'
{
candidate: 'MIT OR',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: '',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: 'MIT OR (Apache-2.0 AND ISC)',
licenses: [],
expected: false
},
{
candidate: 'MIT AND (ISC',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: 'MIT OR ISC',
licenses: ['MiT'],
expected: false
}
]
for (const unit of units) {
let got: boolean = spdx.satisfiesAll(unit.candidate, unit.licenses)
if (got != unit.expected) {
console.log(
`failing unit test inputs: candidate(${unit.candidate}) licenses(${unit.licenses})`
)
}
expect(got).toBe(unit.expected)
}
})
test('satisfies', () => {
const units = [
{
candidate: 'MIT',
constraint: 'MIT',
expected: true
},
{
candidate: 'Apache-2.0',
constraint: 'MIT',
expected: false
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'MIT',
expected: true
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'Apache-2.0',
expected: true
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'BSD-3-Clause',
expected: false
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'Apache-2.0 OR BSD-3-Clause',
expected: true
},
{
candidate: 'MIT AND Apache-2.0',
constraint: 'MIT AND Apache-2.0',
expected: true
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'MIT AND Apache-2.0',
expected: false
},
{
candidate: 'ISC OR (MIT AND Apache-2.0)',
constraint: 'MIT AND Apache-2.0',
expected: true
},
// missing params, case sensitivity, syntax problems,
// or unknown licenses will return 'false'
{
candidate: 'MIT',
constraint: 'MiT',
expected: false
},
{
candidate: 'MIT AND (ISC OR',
constraint: 'MIT',
expected: false
},
{
candidate: 'MIT OR ISC OR Apache-2.0',
constraint: '',
expected: false
},
{
candidate: '',
constraint: '(BSD-3-Clause AND ISC) OR MIT',
expected: false
}
]
for (const unit of units) {
let got: boolean = spdx.satisfies(unit.candidate, unit.constraint)
if (got != unit.expected) {
console.log(
`failing unit test inputs: candidateExpr(${unit.candidate}) constraintExpr(${unit.constraint})`
)
}
expect(got).toBe(unit.expected)
}
})
test('isValid', () => {
const units = [
{
candidate: 'MIT',
expected: true
},
{
candidate: 'MIT AND BSD-3-Clause',
expected: true
},
{
candidate: '(MIT AND ISC) OR BSD-3-Clause',
expected: true
},
{
candidate: 'NOASSERTION',
expected: false
},
{
candidate: 'Foobar',
expected: false
},
{
candidate: '',
expected: false
}
]
for (const unit of units) {
let got: boolean = spdx.isValid(unit.candidate)
if (got != unit.expected) {
console.log(`failing unit test inputs: candidateExpr(${unit.candidate})`)
}
expect(got).toBe(unit.expected)
}
})
Generated Vendored
+434 -185
View File
@@ -350,6 +350,29 @@ exports.getRefs = getRefs;
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
@@ -359,14 +382,11 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.getInvalidLicenseChanges = void 0;
const spdx_satisfies_1 = __importDefault(__nccwpck_require__(4424));
const utils_1 = __nccwpck_require__(918);
const purl_1 = __nccwpck_require__(3609);
const spdx = __importStar(__nccwpck_require__(8590));
function getInvalidLicenseChanges(changes, licenses) {
return __awaiter(this, void 0, void 0, function* () {
var _a;
@@ -382,7 +402,7 @@ function getInvalidLicenseChanges(changes, licenses) {
return true;
}
const changeAsPackageURL = (0, purl_1.parsePURL)(encodeURI(change.package_url));
// We want to find if the licenseExclussion list contains the PackageURL of the Change
// We want to find if the licenseExclusion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false
// If it doesn't, we want to keep it and therefore return true
if (licenseExclusions !== null &&
@@ -414,12 +434,22 @@ function getInvalidLicenseChanges(changes, licenses) {
else if (validityCache.get(license) === undefined) {
try {
if (allow !== undefined) {
const found = allow.find(spdxExpression => (0, spdx_satisfies_1.default)(license, spdxExpression));
validityCache.set(license, found !== undefined);
if (spdx.isValid(license)) {
const found = spdx.satisfiesAny(license, allow);
validityCache.set(license, found);
}
else {
invalidLicenseChanges.unresolved.push(change);
}
}
else if (deny !== undefined) {
const found = deny.find(spdxExpression => (0, spdx_satisfies_1.default)(license, spdxExpression));
validityCache.set(license, found === undefined);
if (spdx.isValid(license)) {
const found = spdx.satisfiesAny(license, deny);
validityCache.set(license, !found);
}
else {
invalidLicenseChanges.unresolved.push(change);
}
}
}
catch (err) {
@@ -478,7 +508,7 @@ const setGHLicenses = (changes) => __awaiter(void 0, void 0, void 0, function* (
});
// Currently Dependency Graph licenses are truncated to 255 characters
// This possibly makes them invalid spdx ids
const truncatedDGLicense = (license) => license.length === 255 && !(0, utils_1.isSPDXValid)(license);
const truncatedDGLicense = (license) => license.length === 255 && !spdx.isValid(license);
function groupChanges(changes) {
return __awaiter(this, void 0, void 0, function* () {
const result = {
@@ -1282,6 +1312,93 @@ function getProjectUrl(ecosystem, packageName, version) {
exports.getProjectUrl = getProjectUrl;
/***/ }),
/***/ 8590:
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.isValid = exports.satisfiesAll = exports.satisfiesAny = exports.satisfies = void 0;
const spdxlib = __importStar(__nccwpck_require__(9391));
const spdx_expression_parse_1 = __importDefault(__nccwpck_require__(1620));
/*
* NOTE: spdx-license-satisfies methods depend on spdx-expression-parse
* which throws errors in the presence of any syntax trouble, unknown
* license tokens, case sensitivity problems etc. to simplify handling
* you should pre-screen inputs to the satisfies* methods using isValid
*/
// accepts a pair of well-formed SPDX expressions. the
// candidate is tested against the constraint
function satisfies(candidateExpr, constraintExpr) {
try {
return spdxlib.satisfies(candidateExpr, constraintExpr);
}
catch (_) {
return false;
}
}
exports.satisfies = satisfies;
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
function satisfiesAny(candidateExpr, licenses) {
try {
return spdxlib.satisfiesAny(candidateExpr, licenses);
}
catch (_) {
return false;
}
}
exports.satisfiesAny = satisfiesAny;
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
function satisfiesAll(candidateExpr, licenses) {
try {
return spdxlib.satisfiesAll(candidateExpr, licenses);
}
catch (_) {
return false;
}
}
exports.satisfiesAll = satisfiesAll;
// accepts any SPDX expression
function isValid(spdxExpr) {
try {
(0, spdx_expression_parse_1.default)(spdxExpr);
return true;
}
catch (_) {
return false;
}
}
exports.isValid = isValid;
/***/ }),
/***/ 8608:
@@ -1639,14 +1756,10 @@ var __importStar = (this && this.__importStar) || function (mod) {
__setModuleDefault(result, mod);
return result;
};
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.octokitClient = exports.isSPDXValid = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
exports.octokitClient = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
const core = __importStar(__nccwpck_require__(2186));
const octokit_1 = __nccwpck_require__(7467);
const spdx_expression_parse_1 = __importDefault(__nccwpck_require__(1620));
function groupDependenciesByManifest(changes) {
var _a;
const dependencies = new Map();
@@ -1675,16 +1788,6 @@ function renderUrl(url, text) {
}
}
exports.renderUrl = renderUrl;
function isSPDXValid(license) {
try {
(0, spdx_expression_parse_1.default)(license);
return true;
}
catch (_) {
return false;
}
}
exports.isSPDXValid = isSPDXValid;
function isEnterprise() {
var _a;
const serverUrl = new URL((_a = process.env['GITHUB_SERVER_URL']) !== null && _a !== void 0 ? _a : 'https://github.com');
@@ -12984,6 +13087,223 @@ var Webhooks = class {
0 && (0);
/***/ }),
/***/ 9391:
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
var compare = __nccwpck_require__(8918)
var parse = __nccwpck_require__(1620)
var ranges = __nccwpck_require__(9797)
function rangesAreCompatible (first, second) {
return (
first.license === second.license ||
ranges.some(function (range) {
return (
licenseInRange(first.license, range) &&
licenseInRange(second.license, range)
)
})
)
}
function licenseInRange (license, range) {
return (
range.indexOf(license) !== -1 ||
range.some(function (element) {
return (
Array.isArray(element) &&
element.indexOf(license) !== -1
)
})
)
}
function identifierInRange (identifier, range) {
return (
identifier.license === range.license ||
compare.gt(identifier.license, range.license) ||
compare.eq(identifier.license, range.license)
)
}
function licensesAreCompatible (first, second) {
if (first.exception !== second.exception) {
return false
} else if (second.hasOwnProperty('license')) {
if (second.hasOwnProperty('plus')) {
if (first.hasOwnProperty('plus')) {
// first+, second+
return rangesAreCompatible(first, second)
} else {
// first, second+
return identifierInRange(first, second)
}
} else {
if (first.hasOwnProperty('plus')) {
// first+, second
return identifierInRange(second, first)
} else {
// first, second
return first.license === second.license
}
}
}
}
function replaceGPLOnlyOrLaterWithRanges (argument) {
var license = argument.license
if (license) {
if (endsWith(license, '-or-later')) {
argument.license = license.replace('-or-later', '')
argument.plus = true
} else if (endsWith(license, '-only')) {
argument.license = license.replace('-only', '')
delete argument.plus
}
} else if (argument.left && argument.right) {
argument.left = replaceGPLOnlyOrLaterWithRanges(argument.left)
argument.right = replaceGPLOnlyOrLaterWithRanges(argument.right)
}
return argument
}
function endsWith (string, substring) {
return string.indexOf(substring) === string.length - substring.length
}
function licenseString (e) {
if (e.hasOwnProperty('noassertion')) return 'NOASSERTION'
if (e.license) {
return (
e.license +
(e.plus ? '+' : '') +
(e.exception ? ('WITH ' + e.exception) : '')
)
}
}
// Expand the given expression into an equivalent array where each member is an array of licenses AND'd
// together and the members are OR'd together. For example, `(MIT OR ISC) AND GPL-3.0` expands to
// `[[GPL-3.0 AND MIT], [ISC AND MIT]]`. Note that within each array of licenses, the entries are
// normalized (sorted) by license name.
function expand (expression) {
return sort(expandInner(expression))
}
function expandInner (expression) {
if (!expression.conjunction) return [{ [licenseString(expression)]: expression }]
if (expression.conjunction === 'or') return expandInner(expression.left).concat(expandInner(expression.right))
if (expression.conjunction === 'and') {
var left = expandInner(expression.left)
var right = expandInner(expression.right)
return left.reduce(function (result, l) {
right.forEach(function (r) { result.push(Object.assign({}, l, r)) })
return result
}, [])
}
}
function sort (licenseList) {
var sortedLicenseLists = licenseList
.filter(function (e) { return Object.keys(e).length })
.map(function (e) { return Object.keys(e).sort() })
return sortedLicenseLists.map(function (list, i) {
return list.map(function (license) { return licenseList[i][license] })
})
}
/**
* Checks if all the licenses on the first argument are satisfied by any license on the second argument.
* @param {object[]} one - Source licenses.
* @param {object[]} two - Target licenses.
* @return {boolean} - Whether all the licenses on the first argument are satisfied by the target licenses.
*/
function isExpressionCompatible (one, two) {
if (one.length !== two.length) return false
return one.every(function (o) {
return two.some(function (t) { return licensesAreCompatible(o, t) })
})
}
/**
* Checks whether any group of licenses satisfies any target group of licenses.
* e.g. [[MIT], [GPL-1.0+, Apache-2.0]] checked against
* [[ISC, GPL-2.0], [GPL-2.0, Apache-2.0]] will return true.
* @param {(object[])[]} one - Groups of licenses to be checked.
* @param {(object[])[]} two - Target groups of licenses.
* @return {boolean} - Whether any group of licenses in "one" satisfies any group of licenses of the "two" (the target).
*/
function anyExpressionCompatible (one, two) {
return one.some(function (o) {
return two.some(function (t) {
return isExpressionCompatible(o, t)
})
})
}
function checkArguments (first, second) {
if (first.type === 'string' && second.type === 'string') {
if (typeof first.value !== 'string' || typeof second.value !== 'string') throw new Error('Both arguments must be string.')
} else {
if (typeof first.value !== 'string') throw new Error('First argument must be string.')
if (!Array.isArray(second.value)) throw new Error('Second argument must be array.')
}
}
/**
* Check if "first" satisfies "second".
* @param {string} first - A valid SPDX expression to be tested.
* @param {string} second - A valid SDPX expression to be tested against.
* @return {boolean} - Whether "first" satisfies "second".
*/
function satisfies (first, second) {
checkArguments({ value: first, type: 'string' }, { value: second, type: 'string' })
var one = expand(replaceGPLOnlyOrLaterWithRanges(parse(first)))
var two = expand(replaceGPLOnlyOrLaterWithRanges(parse(second)))
return anyExpressionCompatible(one, two)
}
function parseLicensesArray (licenses) {
var parsed = licenses.map(l => replaceGPLOnlyOrLaterWithRanges(parse(l)))
if (parsed.some(({ conjunction }) => !!conjunction)) throw new Error('AND and OR operators are not allowed.')
return parsed
}
/**
* Check if "first" satisfies any of the licenses in "second".
* @param {string} first - A valid SPDX expression to be tested.
* @param {string[]} second - A list of licenses. AND and OR operators are not allowed.
* @return {boolean} - Whether "first" satisfies any license in "second".
*/
function satisfiesAny (first, second) {
checkArguments({value: first, type: 'string'}, {value: second, type: 'array'})
var one = expand(replaceGPLOnlyOrLaterWithRanges(parse(first)))
var two = parseLicensesArray(second).map(l => expand(l).flat())
return anyExpressionCompatible(one, two)
}
/**
* Check if "first" satisfies all the license in "second".
* @param {string} first - A valid SPDX expression to be tested.
* @param {string[]} second - A list of licenses. AND and OR operators are not allowed.
* @return {boolean} - Whether "first" satisfies all licenses in "second".
*/
function satisfiesAll (first, second) {
checkArguments({value: first, type: 'string'}, {value: second, type: 'array'})
var one = expand(replaceGPLOnlyOrLaterWithRanges(parse(first)))
var two = [parseLicensesArray(second)]
return anyExpressionCompatible(one, two)
}
module.exports = {
satisfies,
satisfiesAny,
satisfiesAll
}
/***/ }),
/***/ 1231:
@@ -22285,151 +22605,6 @@ module.exports = function (source) {
}
/***/ }),
/***/ 4424:
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
var compare = __nccwpck_require__(8918)
var parse = __nccwpck_require__(1620)
var ranges = __nccwpck_require__(9797)
var rangesAreCompatible = function (first, second) {
return (
first.license === second.license ||
ranges.some(function (range) {
return (
licenseInRange(first.license, range) &&
licenseInRange(second.license, range)
)
})
)
}
function licenseInRange (license, range) {
return (
range.indexOf(license) !== -1 ||
range.some(function (element) {
return (
Array.isArray(element) &&
element.indexOf(license) !== -1
)
})
)
}
var identifierInRange = function (identifier, range) {
return (
identifier.license === range.license ||
compare.gt(identifier.license, range.license) ||
compare.eq(identifier.license, range.license)
)
}
var licensesAreCompatible = function (first, second) {
if (first.exception !== second.exception) {
return false
} else if (second.hasOwnProperty('license')) {
if (second.hasOwnProperty('plus')) {
if (first.hasOwnProperty('plus')) {
// first+, second+
return rangesAreCompatible(first, second)
} else {
// first, second+
return identifierInRange(first, second)
}
} else {
if (first.hasOwnProperty('plus')) {
// first+, second
return identifierInRange(second, first)
} else {
// first, second
return first.license === second.license
}
}
}
}
function normalizeGPLIdentifiers (argument) {
var license = argument.license
if (license) {
if (endsWith(license, '-or-later')) {
argument.license = license.replace('-or-later', '')
argument.plus = true
} else if (endsWith(license, '-only')) {
argument.license = license.replace('-or-later', '')
delete argument.plus
}
} else if (argument.left && argument.right) {
argument.left = normalizeGPLIdentifiers(argument.left)
argument.right = normalizeGPLIdentifiers(argument.right)
}
return argument
}
function endsWith (string, substring) {
return string.indexOf(substring) === string.length - substring.length
}
function licenseString (e) {
if (e.hasOwnProperty('noassertion')) return 'NOASSERTION'
if (e.license) return `${e.license}${e.plus ? '+' : ''}${e.exception ? ` WITH ${e.exception}` : ''}`
}
// Expand the given expression into an equivalent array where each member is an array of licenses AND'd
// together and the members are OR'd together. For example, `(MIT OR ISC) AND GPL-3.0` expands to
// `[[GPL-3.0 AND MIT], [ISC AND MIT]]`. Note that within each array of licenses, the entries are
// normalized (sorted) by license name.
function expand (expression) {
return sort(expandInner(expression))
}
// Flatten the given expression into an array of all licenses mentioned in the expression.
function flatten (expression) {
var expanded = expandInner(expression)
var flattened = expanded.reduce(function (result, clause) {
return Object.assign(result, clause)
}, {})
return sort([flattened])[0]
}
function expandInner (expression) {
if (!expression.conjunction) return [{ [licenseString(expression)]: expression }]
if (expression.conjunction === 'or') return expandInner(expression.left).concat(expandInner(expression.right))
if (expression.conjunction === 'and') {
var left = expandInner(expression.left)
var right = expandInner(expression.right)
return left.reduce(function (result, l) {
right.forEach(function (r) { result.push(Object.assign({}, l, r)) })
return result
}, [])
}
}
function sort (licenseList) {
var sortedLicenseLists = licenseList
.filter(function (e) { return Object.keys(e).length })
.map(function (e) { return Object.keys(e).sort() })
return sortedLicenseLists.map(function (list, i) {
return list.map(function (license) { return licenseList[i][license] })
})
}
function isANDCompatible (one, two) {
return one.every(function (o) {
return two.some(function (t) { return licensesAreCompatible(o, t) })
})
}
function satisfies (first, second) {
var one = expand(normalizeGPLIdentifiers(parse(first)))
var two = flatten(normalizeGPLIdentifiers(parse(second)))
return one.some(function (o) { return isANDCompatible(o, two) })
}
module.exports = satisfies
/***/ }),
/***/ 4294:
@@ -49639,6 +49814,7 @@ const core = __importStar(__nccwpck_require__(2186));
const z = __importStar(__nccwpck_require__(3301));
const schemas_1 = __nccwpck_require__(1129);
const utils_1 = __nccwpck_require__(1314);
const spdx_1 = __nccwpck_require__(5967);
function readConfig() {
return __awaiter(this, void 0, void 0, function* () {
const inlineConfig = readInlineConfig();
@@ -49719,9 +49895,9 @@ function validateLicenses(key, licenses) {
if (licenses === undefined) {
return;
}
const invalid_licenses = licenses.filter(license => !(0, utils_1.isSPDXValid)(license));
const invalid_licenses = licenses.filter(license => !(0, spdx_1.isValid)(license));
if (invalid_licenses.length > 0) {
throw new Error(`Invalid license(s) in ${key}: ${invalid_licenses}`);
throw new Error(`Invalid license(s) in ${key}: ${invalid_licenses.join(', ')}`);
}
}
function readConfigFile(filePath) {
@@ -50212,7 +50388,7 @@ exports.ScorecardSchema = z.object({
/***/ }),
/***/ 1314:
/***/ 5967:
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
"use strict";
@@ -50244,10 +50420,93 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.octokitClient = exports.isSPDXValid = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
exports.isValid = exports.satisfiesAll = exports.satisfiesAny = exports.satisfies = void 0;
const spdxlib = __importStar(__nccwpck_require__(9391));
const spdx_expression_parse_1 = __importDefault(__nccwpck_require__(1620));
/*
* NOTE: spdx-license-satisfies methods depend on spdx-expression-parse
* which throws errors in the presence of any syntax trouble, unknown
* license tokens, case sensitivity problems etc. to simplify handling
* you should pre-screen inputs to the satisfies* methods using isValid
*/
// accepts a pair of well-formed SPDX expressions. the
// candidate is tested against the constraint
function satisfies(candidateExpr, constraintExpr) {
try {
return spdxlib.satisfies(candidateExpr, constraintExpr);
}
catch (_) {
return false;
}
}
exports.satisfies = satisfies;
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
function satisfiesAny(candidateExpr, licenses) {
try {
return spdxlib.satisfiesAny(candidateExpr, licenses);
}
catch (_) {
return false;
}
}
exports.satisfiesAny = satisfiesAny;
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
function satisfiesAll(candidateExpr, licenses) {
try {
return spdxlib.satisfiesAll(candidateExpr, licenses);
}
catch (_) {
return false;
}
}
exports.satisfiesAll = satisfiesAll;
// accepts any SPDX expression
function isValid(spdxExpr) {
try {
(0, spdx_expression_parse_1.default)(spdxExpr);
return true;
}
catch (_) {
return false;
}
}
exports.isValid = isValid;
/***/ }),
/***/ 1314:
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.octokitClient = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
const core = __importStar(__nccwpck_require__(2186));
const octokit_1 = __nccwpck_require__(7467);
const spdx_expression_parse_1 = __importDefault(__nccwpck_require__(1620));
function groupDependenciesByManifest(changes) {
var _a;
const dependencies = new Map();
@@ -50276,16 +50535,6 @@ function renderUrl(url, text) {
}
}
exports.renderUrl = renderUrl;
function isSPDXValid(license) {
try {
(0, spdx_expression_parse_1.default)(license);
return true;
}
catch (_) {
return false;
}
}
exports.isSPDXValid = isSPDXValid;
function isEnterprise() {
var _a;
const serverUrl = new URL((_a = process.env['GITHUB_SERVER_URL']) !== null && _a !== void 0 ? _a : 'https://github.com');
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+25 -25
View File
@@ -514,6 +514,31 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@onebeyond/spdx-license-satisfies
MIT
The MIT License
Copyright (c) spdx-satisfies.js contributors
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
aggregate-error
MIT
MIT License
@@ -1621,31 +1646,6 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
spdx-satisfies
MIT
The MIT License
Copyright (c) spdx-satisfies.js contributors
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
tunnel
MIT
The MIT License (MIT)
+13 -1
View File
@@ -13,7 +13,7 @@
"@actions/github": "^6.0.0",
"@octokit/plugin-retry": "^6.0.1",
"@octokit/request-error": "^5.0.1",
"@types/jest": "^29.5.12",
"@onebeyond/spdx-license-satisfies": "^1.0.1",
"ansi-styles": "^6.2.1",
"got": "^14.2.0",
"jest": "^29.7.0",
@@ -25,6 +25,7 @@
"zod": "^3.22.3"
},
"devDependencies": {
"@types/jest": "^29.5.12",
"@types/node": "^20",
"@types/spdx-expression-parse": "^3.0.4",
"@types/spdx-satisfies": "^0.1.1",
@@ -1922,6 +1923,16 @@
"resolved": "https://registry.npmjs.org/@octokit/webhooks-types/-/webhooks-types-7.1.0.tgz",
"integrity": "sha512-y92CpG4kFFtBBjni8LHoV12IegJ+KFxLgKRengrVjKmGE5XMeCuGvlfRe75lTRrgXaG6XIWJlFpIDTlkoJsU8w=="
},
"node_modules/@onebeyond/spdx-license-satisfies": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/@onebeyond/spdx-license-satisfies/-/spdx-license-satisfies-1.0.1.tgz",
"integrity": "sha512-C91zRfMMoWsuFMbzFh95pv7nDtzmGD+4TKbCHJTMgCO8IWPN3LyBVnDDnJd2pM5dokIGamSEIvYlf6HKLBDDPg==",
"dependencies": {
"spdx-compare": "^1.0.0",
"spdx-expression-parse": "^3.0.0",
"spdx-ranges": "^2.0.0"
}
},
"node_modules/@pkgr/core": {
"version": "0.1.0",
"resolved": "https://registry.npmjs.org/@pkgr/core/-/core-0.1.0.tgz",
@@ -2062,6 +2073,7 @@
"version": "29.5.12",
"resolved": "https://registry.npmjs.org/@types/jest/-/jest-29.5.12.tgz",
"integrity": "sha512-eDC8bTvT/QhYdxJAulQikueigY5AsdBRH2yDKW3yveW7svY3+DzN84/2NUgkw10RTiJbWqZrTtoGVdYlvFJdLw==",
"dev": true,
"dependencies": {
"expect": "^29.0.0",
"pretty-format": "^29.0.0"
+2 -1
View File
@@ -29,7 +29,7 @@
"@actions/github": "^6.0.0",
"@octokit/plugin-retry": "^6.0.1",
"@octokit/request-error": "^5.0.1",
"@types/jest": "^29.5.12",
"@onebeyond/spdx-license-satisfies": "^1.0.1",
"ansi-styles": "^6.2.1",
"got": "^14.2.0",
"jest": "^29.7.0",
@@ -41,6 +41,7 @@
"zod": "^3.22.3"
},
"devDependencies": {
"@types/jest": "^29.5.12",
"@types/node": "^20",
"@types/spdx-expression-parse": "^3.0.4",
"@types/spdx-satisfies": "^0.1.1",
+6 -3
View File
@@ -4,7 +4,8 @@ import YAML from 'yaml'
import * as core from '@actions/core'
import * as z from 'zod'
import {ConfigurationOptions, ConfigurationOptionsSchema} from './schemas'
import {isSPDXValid, octokitClient} from './utils'
import {octokitClient} from './utils'
import {isValid} from './spdx'
type ConfigurationOptionsPartial = Partial<ConfigurationOptions>
@@ -113,10 +114,12 @@ function validateLicenses(
return
}
const invalid_licenses = licenses.filter(license => !isSPDXValid(license))
const invalid_licenses = licenses.filter(license => !isValid(license))
if (invalid_licenses.length > 0) {
throw new Error(`Invalid license(s) in ${key}: ${invalid_licenses}`)
throw new Error(
`Invalid license(s) in ${key}: ${invalid_licenses.join(', ')}`
)
}
}
+17 -12
View File
@@ -1,7 +1,7 @@
import spdxSatisfies from 'spdx-satisfies'
import {Change, Changes} from './schemas'
import {isSPDXValid, octokitClient} from './utils'
import {octokitClient} from './utils'
import {parsePURL} from './purl'
import * as spdx from './spdx'
/**
* Loops through a list of changes, filtering and returning the
@@ -47,7 +47,7 @@ export async function getInvalidLicenseChanges(
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
// We want to find if the licenseExclussion list contains the PackageURL of the Change
// We want to find if the licenseExclusion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false
// If it doesn't, we want to keep it and therefore return true
if (
@@ -87,15 +87,19 @@ export async function getInvalidLicenseChanges(
} else if (validityCache.get(license) === undefined) {
try {
if (allow !== undefined) {
const found = allow.find(spdxExpression =>
spdxSatisfies(license, spdxExpression)
)
validityCache.set(license, found !== undefined)
if (spdx.isValid(license)) {
const found = spdx.satisfiesAny(license, allow)
validityCache.set(license, found)
} else {
invalidLicenseChanges.unresolved.push(change)
}
} else if (deny !== undefined) {
const found = deny.find(spdxExpression =>
spdxSatisfies(license, spdxExpression)
)
validityCache.set(license, found === undefined)
if (spdx.isValid(license)) {
const found = spdx.satisfiesAny(license, deny)
validityCache.set(license, !found)
} else {
invalidLicenseChanges.unresolved.push(change)
}
}
} catch (err) {
invalidLicenseChanges.unresolved.push(change)
@@ -161,10 +165,11 @@ const setGHLicenses = async (changes: Change[]): Promise<Change[]> => {
return Promise.all(updatedChanges)
}
// Currently Dependency Graph licenses are truncated to 255 characters
// This possibly makes them invalid spdx ids
const truncatedDGLicense = (license: string): boolean =>
license.length === 255 && !isSPDXValid(license)
license.length === 255 && !spdx.isValid(license)
async function groupChanges(
changes: Changes
+56
View File
@@ -0,0 +1,56 @@
import * as spdxlib from '@onebeyond/spdx-license-satisfies'
import parse from 'spdx-expression-parse'
/*
* NOTE: spdx-license-satisfies methods depend on spdx-expression-parse
* which throws errors in the presence of any syntax trouble, unknown
* license tokens, case sensitivity problems etc. to simplify handling
* you should pre-screen inputs to the satisfies* methods using isValid
*/
// accepts a pair of well-formed SPDX expressions. the
// candidate is tested against the constraint
export function satisfies(
candidateExpr: string,
constraintExpr: string
): boolean {
try {
return spdxlib.satisfies(candidateExpr, constraintExpr)
} catch (_) {
return false
}
}
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
export function satisfiesAny(
candidateExpr: string,
licenses: string[]
): boolean {
try {
return spdxlib.satisfiesAny(candidateExpr, licenses)
} catch (_) {
return false
}
}
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
export function satisfiesAll(
candidateExpr: string,
licenses: string[]
): boolean {
try {
return spdxlib.satisfiesAll(candidateExpr, licenses)
} catch (_) {
return false
}
}
// accepts any SPDX expression
export function isValid(spdxExpr: string): boolean {
try {
parse(spdxExpr)
return true
} catch (_) {
return false
}
}
-10
View File
@@ -1,6 +1,5 @@
import * as core from '@actions/core'
import {Octokit} from 'octokit'
import spdxParse from 'spdx-expression-parse'
import {Changes} from './schemas'
export function groupDependenciesByManifest(
@@ -34,15 +33,6 @@ export function renderUrl(url: string | null, text: string): string {
}
}
export function isSPDXValid(license: string): boolean {
try {
spdxParse(license)
return true
} catch (_) {
return false
}
}
function isEnterprise(): boolean {
const serverUrl = new URL(
process.env['GITHUB_SERVER_URL'] ?? 'https://github.com'
+3 -1
View File
@@ -5,7 +5,9 @@
"outDir": "./lib" /* Redirect output structure to the directory. */,
"strict": true /* Enable all strict type-checking options. */,
"noImplicitAny": true /* Raise error on expressions and declarations with an implied 'any' type. */,
"esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
"esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */,
"typeRoots": [ "./node_modules/@types", "./types" ],
"types": [ "node", "jest", "spdx-license-satisfies" ]
},
"exclude": ["node_modules"]
}
+18
View File
@@ -0,0 +1,18 @@
declare module '@onebeyond/spdx-license-satisfies' {
export function satisfies(
candidateExpr: string,
constraintExpr: string
): boolean
export function satisfiesAny(
candidateExpr: string,
licenses: string[]
): boolean
export function satisfiesAll(
candidateExpr: string,
licenses: string[]
): boolean
export function isValid(candidateExpr: string): boolean
}