Update SPDX Expression Parsing

[febuiles]

Context

Since we introduced SPDX licenses around 2022, we've had issues dealing with SPDX expression validations due to the library we use for checking whether one expression satisfies another one.

Folks reached out to the maintainer in 2022 to fix some of these changes, but set a clear direction that does not fit our purposes anymore. The @onebeyond/spdx-license-satisfies is a fork of the original project, created by people who encountered the same issues as us.

Changes

This PR moves the Action away from spdx-satisfies.js and uses @onebeyond/spdx-license-satisfies instead to check whether an SPDX license satisfies an expression or not: The MIT license satisfies the expression MIT OR GPL-2.0, but it does not satisfy MIT AND GPL-2.0.

In the process of making these changes I:

• Moved all the SPDX-related logic to spdx.ts.
• Added a few TODOs to spdx.ts noting the things we still need to support.
• Updated the tests that were using invalid SPDX identifiers.
• Removed unnecessary stubs for SPDX license validation.
• Updated tsconfig.json to fix a duplicate entry in the compiler options.

[elireisman]

Couple questions, but this is looking good so far, thanks! 🍻

[elireisman]

👋 I just pushed a pretty major overhaul of this PR. It should be ready for review now.

Highlights:

• Simplified usage (call sites) of the new SPDX expression eval library
• Changed how illegal inputs are handled to make the logic more robust and unit tests better
• Removed mocks of the SPDX license eval calls in module tests to ensure we exercise the library
• Added lots of new unit tests

That said, there could be surprises here and I'm no TypeScript expert 😂 so please do review this carefully 🙇 cc @hmaurer @bteng22 @mrysav

[elireisman]

moved Jest back into dev dependencies where I think it belongs 👍

[elireisman]

☝️ the library is very strict about invalid SPDX inputs, so instead of just bucketing these as "unresolved" based on an error bubble up, we'll now check validity specifically as a pre-step when classifying and resolving licenses 👍

[elireisman]

🤔 due to this change, we may be able to ditch the try...catch blocks entirely

[elireisman]

oh nice change! 😍

[juxtin]

From a code review/testing perspective, I'm pretty happy with this right now. My plan is to do a little bit of manual testing to validate that the linked issues really are resolved, and then I'll get this approved, merged, and released.

[juxtin]

From a code review/testing perspective, I'm pretty happy with this right now. My plan is to do a little bit of manual testing to validate that the linked issues really are resolved, and then I'll get this approved, merged, and released.

I'm glad I didn't rush through this, because this PR doesn't resolve any of the issues that were linked above. That's not to say it's a bad PR or that we shouldn't merge it, but it doesn't address the fundamental causes of the behaviors that people have run into.

I'll break it down issue by issue:

• Properly resolve licenses with "OR" expressions #670
  • problem: Apache-2.0 OR BSL-1.0 should be allowed when only Apache-2.0 is denied. One of its acceptable licenses is implicitly allowed, so it should be fine.
  • reality: as of this PR, we use spdx.satisfiesAny('Apache-2.0 OR BSL-1.0', 'Apache-2.0') to evaluate this. It returns true, because 'Apache-2.0 OR BSL-1.0' does satisfy 'Apache-2.0'. This just isn't the semantics that we want.
• "Invalid SPDX License" after upgrading JSTS package #575
  • problem: EPL-1.0 OR NOASSERTION OR (EPL-1.0 AND NOASSERTION) is considered an Invalid SPDX License.
  • reality: as of this PR, NOASSERTION is still considered an invalid license.
• deny-licenses mistakenly blocking LGPL-3.0 license #635
  • problem: LGPL-3.0 license is denied when the deny list only contains LGPL-2.0, LGPLLR
  • reality: for reasons I haven't totally figured out yet, this is still the behavior as of this PR. For what it's worth, internally we appear to have a license of GPL-3.0 AND GPL-3.0-only AND GPL-3.0-or-later AND LGPL-3.0-only for pygithub, but it is displayed in the action summary as LGPL-3.0.

[juxtin]

Despite the fact that this doesn't fix any outstanding bugs, I do still think it moves us in the right direction. The remaining bugs will have to be addressed by other work in the future.