Skip to content

Releases: github/go-spdx

Release v0.3.2

30 Nov 23:20
1cab0d6
Compare
Choose a tag to compare

Overview

Improve documentation with examples and package level doc.

Required Action for Upgrading

There are no steps required to move to this release.

What's Changed

  • add example tests that will be part of generated docs #24 (@elrayle)
  • add package level documentation #25 (elrayle)

Full Changelog: v0.3.1...v0.3.2

Release v0.3.1

30 Nov 21:16
1cab0d6
Compare
Choose a tag to compare

Overview

Add test case for OTHER license. Add TestSatisfiesSingle that makes it easy to modify variables and run an ad hoc test.

Required Action for Upgrading

There are no steps required to move to this release. This release adds adds tests only.

Details

TestSatisfiesSingle

You can test the Satisfies function with specific values and set the expected outcome. To create an ad hoc test:

  • edit spdx/satisfies_test.go
  • update variables for parameters (i.e. expression, allowedList)
  • update expectedResult to either true or false
  • run the test
go test ./spdxexp -run TestSatisfiesSingle

What's Changed

  • add test that can be easily updated to validate a specific expression to an allowed-list #22 (@elrayle)
  • add test that includes OTHER error #23 (elrayle)

Full Changelog: v0.3.0...v0.3.1

Release v0.3.0

18 Nov 21:21
00d018e
Compare
Choose a tag to compare

Overview

Add public API function ValidateLicenses which is used to determine if any of the provided licenses are invalid.

Required Action for Upgrading

There are no steps required to move to this release. This release adds an additional function to the public API. There are no changes to the existing API functions.

Details

ValidateLicenses

// ValidateLicenses checks if given licenses are valid according to spdx.  Returns true if all the licenses are valid; otherwise, returns false and a slice of the invalid licenses.
ValidateLicenses(licenses []string) (bool, []string)

parameter: licenses

Licenses is a slice of strings which must be validated as SPDX expressions.

returns

Function ValidateLicenses has 2 return values. First is bool which equals true if all of
the provided licenses provided are valid, and false otherwise.

The second parameter is a slice of all invalid licenses which were provided.

Examples: ValidateLicenses returns no invalid licenses

valid, invalidLicenses := ValidateLicenses([]string{"Apache-2.0"})
assert.True(valid)
assert.Empty(invalidLicenses)

Examples: ValidateLicenses returns invalid licenses

valid, invalidLicenses := ValidateLicenses([]string{"NON-EXISTENT-LICENSE", "MIT"})
assert.False(valid)
assert.Contains(invalidLicenses, "NON-EXISTENT-LICENSE")
assert.NotContains(invalidLicenses, "MIT")

What's Changed

Full Changelog: v0.2.0...v0.3.0

Release v0.2.0

05 Oct 15:45
93ac344
Compare
Choose a tag to compare

Overview

This release adds support to pass LicenseRef and DocumentRef to the Satisfied function as part of an SPDX License Expressions.

Required Action for Upgrading

There are no steps required to move to this release. This release is filling out functionality in the existing infrastructure. There are no API changes.

Details

What is a LicenseRef and DocumentRef

The specification defines these terms in Annex D: SPDX License Expressions.

An SPDX user defined license reference: ["DocumentRef-"1*(idstring)":"]"LicenseRef-"1*(idstring)

Examples:

LicenseRef-23
LicenseRef-MIT-Style-1
DocumentRef-spdx-tool-1.2:LicenseRef-MIT-Style-2

How to use with Satisfies

Examples

allowedListWithout := []string{"MIT", "Apache-2.0"})
allowedListWithLicenseRef := []string{"MIT", "Apache-2.0", "LicenseRef-X-BSD-3-Clause-Golang"}
allowedListWithDocumentRefLicenseRef := []string{"MIT", "Apache-2.0", "DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang"}

Satisfies("LicenseRef-X-BSD-3-Clause-Golang", allowedListWithLicenseRef) // true
Satisfies("MIT AND LicenseRef-X-BSD-3-Clause-Golang", allowedListWithLicenseRef) // true
Satisfies("MIT AND Apache-2.0", allowedListWithLicenseRef) // true

Satisfies("MIT AND LicenseRef-X-BSD-3-Clause-Golang", allowedListWithout) // false

Satisfies("DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithDocumentRefLicenseRef) // true
Satisfies("MIT AND DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithDocumentRefLicenseRef) // true
Satisfies("MIT AND Apache-2.0", allowedListWithDocumentRefLicenseRef) // true

Satisfies("MIT AND DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithout) // false
Satisfies("MIT AND DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithLicenseRef) // false
Satisfies("MIT AND LicenseRef-X-BSD-3-Clause-Golang", allowedListWithDocumentRefLicenseRef) // false

Use case for extending the list of valid licenses

Go and the related golang.org/x libraries are licensed under a BSD-3-Clause license plus a patent grant from Google that makes a stipulation about not suing them over patent infringement for that package.

SPDX explicitly said they didn't want to call the patent grant an "exception" Issue #646 and a new license string has not been included. ClearlyDefined, following their lead, returns this license as BSD-3-Clause AND OTHER.

This use case can be handled by using a user defined LicenseRef that extends the canonical set defined by SPDX.

NOTE: Adding OTHER as a LicenseRef is too broad. In our local work using spdx-expression, BSD-3-Clause AND OTHER is manually converted to the testExpression LicenseRef-X-BSD-3-Clause-Golang before calling Satisfies. LicenseRef-X-BSD-3-Clause-Golang needs to be in the allowedList. The examples in How to use with Satisfies section shows the use of this LicenseRef.

What's Changed

  • add support for licenseRefs processing in Satisfies #19 (@elrayle)

Full Changelog: v0.1.0...v0.2.0

Release v0.1.0

14 Sep 17:01
96f5a7c
Compare
Choose a tag to compare

Overview

This is the first release of spdx-expression repository defining the spdxexp go package. The package defines a single function in the public API to check compatibility of an SPDX expression (e.g. Apache-2.0 AND MIT) with an allowed list of licenses (e.g. Apache-2.0, ISC, MIT). A common use case is checking the license requirements for a repository against a policy list of allowed licenses.

Public API

Satisfies

Function definition:

func Satisfies( testExpression string, allowedList []string)

where,

  • testExpression string is a valid SPDX license expression (e.g. "MIT", "Apache-1.0+", "MIT AND Apache-2.0", "MIT OR Apache-2.0")
  • allowedList []string is an array of SPDX license identifiers (e.g. ["MIT" "Apache-1.0+"]). Licenses in the allowedList are generally single license identifiers (e.g. "MIT", "Apache-1.0", "Apache-2.0"). There is support for a subset of SPDX license expressions. The supported subset is limited to specifying multi-versions (e.g. "Apache-1.0+", "GPL-2.0-or-later") and exceptions (e.g. "Apache-2.0 with Bison-exception-2.2").

Limitations

In this release, there is limited support for LicenseRef and DocumentRef. Expressions and licensing using these may not resolve as expected.