Releases: github/go-spdx
Release v0.3.2
Overview
Improve documentation with examples and package level doc.
Required Action for Upgrading
There are no steps required to move to this release.
What's Changed
- add example tests that will be part of generated docs #24 (@elrayle)
- add package level documentation #25 (elrayle)
Full Changelog: v0.3.1...v0.3.2
Release v0.3.1
Overview
Add test case for OTHER
license. Add TestSatisfiesSingle
that makes it easy to modify variables and run an ad hoc test.
Required Action for Upgrading
There are no steps required to move to this release. This release adds adds tests only.
Details
TestSatisfiesSingle
You can test the Satisfies function with specific values and set the expected outcome. To create an ad hoc test:
- edit
spdx/satisfies_test.go
- update variables for parameters (i.e.
expression
,allowedList
) - update expectedResult to either
true
orfalse
- run the test
go test ./spdxexp -run TestSatisfiesSingle
What's Changed
- add test that can be easily updated to validate a specific expression to an allowed-list #22 (@elrayle)
- add test that includes OTHER error #23 (elrayle)
Full Changelog: v0.3.0...v0.3.1
Release v0.3.0
Overview
Add public API function ValidateLicenses
which is used to determine if any of the provided licenses are invalid.
Required Action for Upgrading
There are no steps required to move to this release. This release adds an additional function to the public API. There are no changes to the existing API functions.
Details
ValidateLicenses
// ValidateLicenses checks if given licenses are valid according to spdx. Returns true if all the licenses are valid; otherwise, returns false and a slice of the invalid licenses.
ValidateLicenses(licenses []string) (bool, []string)
parameter: licenses
Licenses is a slice of strings which must be validated as SPDX expressions.
returns
Function ValidateLicenses
has 2 return values. First is bool
which equals true
if all of
the provided licenses provided are valid, and false
otherwise.
The second parameter is a slice of all invalid licenses which were provided.
Examples: ValidateLicenses returns no invalid licenses
valid, invalidLicenses := ValidateLicenses([]string{"Apache-2.0"})
assert.True(valid)
assert.Empty(invalidLicenses)
Examples: ValidateLicenses returns invalid licenses
valid, invalidLicenses := ValidateLicenses([]string{"NON-EXISTENT-LICENSE", "MIT"})
assert.False(valid)
assert.Contains(invalidLicenses, "NON-EXISTENT-LICENSE")
assert.NotContains(invalidLicenses, "MIT")
What's Changed
- Add a function to validate licenses #20 (@RomanIakovlev)
Full Changelog: v0.2.0...v0.3.0
Release v0.2.0
Overview
This release adds support to pass LicenseRef
and DocumentRef
to the Satisfied
function as part of an SPDX License Expressions.
Required Action for Upgrading
There are no steps required to move to this release. This release is filling out functionality in the existing infrastructure. There are no API changes.
Details
What is a LicenseRef and DocumentRef
The specification defines these terms in Annex D: SPDX License Expressions.
An SPDX user defined license reference:
["DocumentRef-"1*(idstring)":"]"LicenseRef-"1*(idstring)
Examples:
LicenseRef-23
LicenseRef-MIT-Style-1
DocumentRef-spdx-tool-1.2:LicenseRef-MIT-Style-2
How to use with Satisfies
Examples
allowedListWithout := []string{"MIT", "Apache-2.0"})
allowedListWithLicenseRef := []string{"MIT", "Apache-2.0", "LicenseRef-X-BSD-3-Clause-Golang"}
allowedListWithDocumentRefLicenseRef := []string{"MIT", "Apache-2.0", "DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang"}
Satisfies("LicenseRef-X-BSD-3-Clause-Golang", allowedListWithLicenseRef) // true
Satisfies("MIT AND LicenseRef-X-BSD-3-Clause-Golang", allowedListWithLicenseRef) // true
Satisfies("MIT AND Apache-2.0", allowedListWithLicenseRef) // true
Satisfies("MIT AND LicenseRef-X-BSD-3-Clause-Golang", allowedListWithout) // false
Satisfies("DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithDocumentRefLicenseRef) // true
Satisfies("MIT AND DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithDocumentRefLicenseRef) // true
Satisfies("MIT AND Apache-2.0", allowedListWithDocumentRefLicenseRef) // true
Satisfies("MIT AND DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithout) // false
Satisfies("MIT AND DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithLicenseRef) // false
Satisfies("MIT AND LicenseRef-X-BSD-3-Clause-Golang", allowedListWithDocumentRefLicenseRef) // false
Use case for extending the list of valid licenses
Go and the related golang.org/x libraries are licensed under a BSD-3-Clause license plus a patent grant from Google that makes a stipulation about not suing them over patent infringement for that package.
SPDX explicitly said they didn't want to call the patent grant an "exception" Issue #646 and a new license string has not been included. ClearlyDefined, following their lead, returns this license as BSD-3-Clause AND OTHER
.
This use case can be handled by using a user defined LicenseRef that extends the canonical set defined by SPDX.
NOTE: Adding OTHER
as a LicenseRef is too broad. In our local work using spdx-expression, BSD-3-Clause AND OTHER
is manually converted to the testExpression LicenseRef-X-BSD-3-Clause-Golang
before calling Satisfies
. LicenseRef-X-BSD-3-Clause-Golang
needs to be in the allowedList
. The examples in How to use with Satisfies
section shows the use of this LicenseRef.
What's Changed
Full Changelog: v0.1.0...v0.2.0
Release v0.1.0
Overview
This is the first release of spdx-expression repository defining the spdxexp
go package. The package defines a single function in the public API to check compatibility of an SPDX expression (e.g. Apache-2.0 AND MIT
) with an allowed list of licenses (e.g. Apache-2.0, ISC, MIT
). A common use case is checking the license requirements for a repository against a policy list of allowed licenses.
Public API
Satisfies
Function definition:
func Satisfies( testExpression string, allowedList []string)
where,
testExpression string
is a valid SPDX license expression (e.g."MIT"
,"Apache-1.0+"
,"MIT AND Apache-2.0"
,"MIT OR Apache-2.0"
)allowedList []string
is an array of SPDX license identifiers (e.g.["MIT" "Apache-1.0+"]
). Licenses in the allowedList are generally single license identifiers (e.g."MIT"
,"Apache-1.0"
,"Apache-2.0"
). There is support for a subset of SPDX license expressions. The supported subset is limited to specifying multi-versions (e.g."Apache-1.0+"
,"GPL-2.0-or-later"
) and exceptions (e.g."Apache-2.0 with Bison-exception-2.2"
).
Limitations
In this release, there is limited support for LicenseRef and DocumentRef. Expressions and licensing using these may not resolve as expected.