Commit Graph

29 Commits

Author SHA1 Message Date
Kevin Dangoor
6e9307a3d4 Discard allow list entries that are not SPDX IDs
The allow-licenses list is expected (and documented) to be a list of
SPDX license IDs (LicenseRefs are also valid). If someone puts an
expression in the list (e.g. "GPL-3.0-only OR MIT"), it should be
discarded so that the whole list does not become invalid.

Fixes #907
2025-05-12 18:58:58 -04:00
Kevin Dangoor
34486f306e Check namespaces when excluding license checks
The `allow-dependencies-licenses` option was not checking the namespace
part of the PURL to make sure it matched.
2025-05-08 17:17:08 -04:00
Kevin Dangoor
f199659a6a Allowing dependencies works with no licenses
When using the `allow-dependencies-licenses` option, the packages listed
there should be allowed even if they have no license. This wasn't
working because the filtering for allowed dependencies was done
specifically on the list of packages that had licenses, leaving a
separate list (unfiltered) for packages with no licenses. With this
change, we filter out any changes for packages that have been allowed
_before_ we retrieve licenses.

Fixes #889
2025-05-08 16:31:46 -04:00
Kevin Dangoor
3a2b68706a Handle complex licenses (e.g. X AND Y)
There are many packages that are dual-licensed, offering a choice
of licenses (e.g. `MIT OR Apache-2.0`). There are some that include
code from multiple sources and require multiple licenses
(e.g. `MIT AND Apache-2.0`). There are also complex combinations that
can exist for a variety of reasons, such as
`MIT AND (Apache-2.0 OR BSD-3-Clause)`.

The most straightforward approach to handle these is to have an
allow list. As long as the licenses on the allow list can satisfy
the license expression of the package in question, it should pass.

To implement this, I the newest release of spdx-satisfies
which changed the interface to be exactly as described
`satisfies(license, allowList)` (see
https://github.com/jslicense/spdx-satisfies.js/pull/17).

Fixes https://github.com/actions/dependency-review-action/issues/263
2025-05-05 19:06:50 -04:00
Kevin Dangoor
a87294d992 Revert "Merge pull request #916 from jebeaudet/spdx-support"
This reverts commit 5a5d4df8ad, reversing
changes made to 67d4f4bd7a.
2025-05-05 18:43:46 -04:00
Jacques-Etienne Beaudet
4eb8182aba Support SPDX expressions in allow/deny lists
This change updates license validation to support full SPDX expressions
(such as 'EPL-1.0 AND LGPL-2.1') in both allow-lists and deny-lists. This
enables the action to correctly validate packages that declare multiple
licenses using SPDX conjunctions like AND/OR, which are common in complex
open-source projects.

Previously, only simple license identifiers were supported, which caused
multi-licensed packages to be improperly flagged as invalid even when
they matched the intent of the allow-list.

The new logic uses `spdx.satisfies()` to evaluate whether a package’s
declared license satisfies any expression in the allow/deny list, and
comprehensive tests have been added to verify behavior for various SPDX
combinations.

This improves compatibility with projects using compound SPDX license
expressions and ensures more accurate license policy enforcement.
2025-04-09 12:19:46 -04:00
Eli Reisman
bbed6f340a update licenses pkg and tests 2024-06-10 09:51:01 -07:00
Federico Builes
b39e17ba5e Replace pip -> pypi in PURL examples 2023-12-11 17:23:19 +01:00
Federico Builes
70f8094bec adding a test for empty PURLs 2023-05-31 16:24:19 +02:00
Stefan Petrushevski
7b5fa84cfc added tests; docs and cleanup 2023-05-19 10:47:59 +02:00
David Losert
1b9faef957 Fixes ESLint to also incldue tests and fixes eslint errors in tests 2023-02-27 16:05:03 +00:00
cnagadya
336da03de2 Update empty allow-licenses tests 2022-11-08 11:15:36 +00:00
cnagadya
022ea02fbb Add unresolved licenses section 2022-10-27 13:09:37 +00:00
cnagadya
3baea959cf Fix license test failures 2022-10-26 09:58:00 +00:00
Federico Builes
7e41a6f1ee Removing unnecessary beforeAll block
Mocks are removed in Jest automatically due to our
Jest config file.

Co-authored-by: Christine Nagadya <cnagadya@github.com>
Co-authored-by: Henri Maurer <hmaurer@github.com>
2022-10-13 16:52:54 +02:00
cnagadya
4c0961eff6 Add tests for GitHub License API fallback 2022-10-13 11:57:38 +00:00
cnagadya
d1e9a12830 Resolve conflicts 2022-10-13 11:06:40 +00:00
Sarah Aladetan
1a7a37c468 add scope to change schema 2022-09-15 17:53:34 +00:00
Kenichi Kamiya
c003e7f8fc Add more test for added and removed pattern 2022-07-13 19:07:12 +09:00
Kenichi Kamiya
c5d7bdcf7f Ignore removed changes in license checker 2022-07-13 18:11:10 +09:00
Kenichi Kamiya
08074685be Fix a typo s/dangerouns/dangerous/ 2022-07-05 18:32:34 +09:00
Federico Builes
42e2bc1ed2 Handle unknown licenses. 2022-06-14 13:54:27 +02:00
Federico Builes
eebebcdc2a Use real PURLs in tests 2022-06-13 20:19:01 +02:00
Federico Builes
fe78920139 Document unwanted behavior for a future refactoring. 2022-06-13 20:04:39 +02:00
Federico Builes
4ac3d318ab Refactoring on PR feedback. 2022-06-08 17:45:42 +02:00
Federico Builes
25271922eb Clarify variable names. 2022-06-08 15:53:14 +02:00
Federico Builes
1261e18905 Clarify license tests. 2022-06-06 20:32:46 +02:00
Federico Builes
06297bf229 Fixing failing tests 2022-06-06 20:32:46 +02:00
Federico Builes
bccacf9708 Skeleton for license validation. 2022-06-06 20:32:46 +02:00