Invalid SPDX License

[kamimanzoor]

Hi,

We have recently added dependency review in our workflows. We are getting "Invalid SPDX License" issue for quite a lot of our dependencies. Even though it states that the latest release (v3) is fully SPDX-compliant and has support for AND/OR expressions. I have manually parse a couple of licenses like BSD-2-Clause AND BSD-3-Clause via the underlying library spdx-expression-parse and it seems to parse without any issues. Please find the screenshot below:

The workflow code snippet alongside config file is shown below:

- name: 'Dependency Review with config file'
   uses: actions/dependency-review-action@v3
   with:
     config-file: ${{ inputs.config-file }}

Small snippet from config file:

fail_on_severity: 'critical'
comment_summary_in_pr: true
license_check: true
allow_licenses: 
  - Apache-1.0
  - Apache-1.1
  - Apache-2.0
  - BSL-1.0
  - BSD-1-Clause
  - BSD-2-Clause
  - BSD-2-Clause-Patent
  - BSD-3-Clause

Any prompt response would be greatly appreciated as currently dependency review is not adding any meaningful value for us.

[febuiles]

@kamimanzoor Thanks for the report. Just to confirm my understanding is correct:

• cryptography should fail (Python-2.0 is not in the allowlist)
• astroid should fail (LGPL-2.1-only is not in the allowlist)

The other 3 licenses should not fail. Can you confirm this makes sense to you?

[panthony]

Hello there 👋🏻

Similar issue but with OR:

Here GPL-2.0 is denied. But this particular dependency should not fail the test because it can be licensed under Apache-2.0.

Which is probably a more common (and simpler) case.

[jonjanego]

Thank you for the issue report, @panthony

[panthony]

@jonjanego Found this issue later about this:

#670

[jonjanego]

Yep, thanks @panthony - we've got it on our radar! :)

[febuiles]

The original issue tracked other problems with SPDX licenses that since have been fixed, the only remaining item here are OR expressions. I updated #670, closing this in favor of that issue.