Skip to content

Release v0.2.0
Compare
Choose a tag to compare
@elrayle elrayle released this 05 Oct 15:45
· 117 commits to main since this release
v0.2.0
93ac344
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Overview

This release adds support to pass LicenseRef and DocumentRef to the Satisfied function as part of an SPDX License Expressions.

Required Action for Upgrading

There are no steps required to move to this release. This release is filling out functionality in the existing infrastructure. There are no API changes.

Details

What is a LicenseRef and DocumentRef

The specification defines these terms in Annex D: SPDX License Expressions.

An SPDX user defined license reference: ["DocumentRef-"1*(idstring)":"]"LicenseRef-"1*(idstring)

Examples:

LicenseRef-23
LicenseRef-MIT-Style-1
DocumentRef-spdx-tool-1.2:LicenseRef-MIT-Style-2

How to use with Satisfies

Examples

allowedListWithout := []string{"MIT", "Apache-2.0"})
allowedListWithLicenseRef := []string{"MIT", "Apache-2.0", "LicenseRef-X-BSD-3-Clause-Golang"}
allowedListWithDocumentRefLicenseRef := []string{"MIT", "Apache-2.0", "DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang"}

Satisfies("LicenseRef-X-BSD-3-Clause-Golang", allowedListWithLicenseRef) // true
Satisfies("MIT AND LicenseRef-X-BSD-3-Clause-Golang", allowedListWithLicenseRef) // true
Satisfies("MIT AND Apache-2.0", allowedListWithLicenseRef) // true

Satisfies("MIT AND LicenseRef-X-BSD-3-Clause-Golang", allowedListWithout) // false

Satisfies("DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithDocumentRefLicenseRef) // true
Satisfies("MIT AND DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithDocumentRefLicenseRef) // true
Satisfies("MIT AND Apache-2.0", allowedListWithDocumentRefLicenseRef) // true

Satisfies("MIT AND DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithout) // false
Satisfies("MIT AND DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithLicenseRef) // false
Satisfies("MIT AND LicenseRef-X-BSD-3-Clause-Golang", allowedListWithDocumentRefLicenseRef) // false

Use case for extending the list of valid licenses

Go and the related golang.org/x libraries are licensed under a BSD-3-Clause license plus a patent grant from Google that makes a stipulation about not suing them over patent infringement for that package.

SPDX explicitly said they didn't want to call the patent grant an "exception" Issue #646 and a new license string has not been included. ClearlyDefined, following their lead, returns this license as BSD-3-Clause AND OTHER.

This use case can be handled by using a user defined LicenseRef that extends the canonical set defined by SPDX.

NOTE: Adding OTHER as a LicenseRef is too broad. In our local work using spdx-expression, BSD-3-Clause AND OTHER is manually converted to the testExpression LicenseRef-X-BSD-3-Clause-Golang before calling Satisfies. LicenseRef-X-BSD-3-Clause-Golang needs to be in the allowedList. The examples in How to use with Satisfies section shows the use of this LicenseRef.

What's Changed

  • add support for licenseRefs processing in Satisfies #19 (@elrayle)

Full Changelog: v0.1.0...v0.2.0

Contributors

elrayle
Assets 2
Loading