Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Properly resolve licenses with "OR" expressions #670

Open
msalib opened this issue Jan 22, 2024 · 4 comments · May be fixed by #719
Open

Properly resolve licenses with "OR" expressions #670

msalib opened this issue Jan 22, 2024 · 4 comments · May be fixed by #719
Assignees
@febuiles
Labels
bug Something isn't working

Comments

@msalib
Copy link

msalib commented Jan 22, 2024

Package Version License Issue Type
ryu 1.0.16 Apache-2.0 OR BSL-1.0 Incompatible License

We reject the BSL-1.0 license, so I was confused why this Rust crate was getting rejected since it can be licensed under BSL-1.0 or Apache-2.0 which we accept.
@febuiles febuiles added the bug Something isn't working label Jan 24, 2024
@febuiles
Copy link
Contributor

febuiles commented Jan 24, 2024
edited

The SPDX expression parser we use is brittle (see #263). I think moving to something like https://www.npmjs.com/package/@onebeyond/spdx-license-satisfies would provide a better experience and fix the issues with OR. We don't have cycles to test atm, but are happy to collaborate on community contributions.

@febuiles febuiles mentioned this issue Feb 14, 2024
Closed
@panthony panthony mentioned this issue Mar 12, 2024
Closed
@jonjanego jonjanego changed the title Unexpected failure for license disjunction Failing to block licenses for packages that have multiple license types defined with "OR" Mar 12, 2024
@febuiles febuiles changed the title Failing to block licenses for packages that have multiple license types defined with "OR" Properly resolve licenses with "OR" expressions Mar 13, 2024
@febuiles febuiles added the good first issue Good for newcomers label Mar 13, 2024
@jovel jovel removed the good first issue Good for newcomers label Mar 15, 2024
@febuiles febuiles linked a pull request Mar 22, 2024 that will close this issue
Open
@febuiles febuiles self-assigned this Mar 22, 2024
@npushkarskii
Copy link

Hey there, hope this one won't slip through the cracks and be fixed at some point :) Thank you for handling this issue.

@febuiles
Copy link
Contributor

febuiles commented Mar 30, 2024
edited

@npushkarskii #719 might need tweaks, but it fixes this bug. We hope it lands somewhere in the next week or two.

If you want to start testing it today and help us get feedback you can add uses: actions/dependency-review-action@change-spdx-parser in your worfklow file until the PR and the new version (probably v5) are merged/released.

@npushkarskii
Copy link

@febuiles only managed to see your comment now, sorry for the delay.

Thank you for all the info, my colleagues and I will try to play with the pre-release version you mentioned; if we get to it, I'll let you know about the results in this PR! Thank you again for your help.

@Pil0tXia Pil0tXia mentioned this issue Apr 16, 2024
Open
@npushkarskii npushkarskii mentioned this issue May 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@febuiles febuiles

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update SPDX Expression Parsing actions/dependency-review-action
4 participants
@febuiles @jovel @msalib @npushkarskii