Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPDX is_compound_expression does not strictly check for compound expression #765

Open
Joerki opened this issue Jan 28, 2025 · 1 comment
Open

SPDX is_compound_expression does not strictly check for compound expression #765

Joerki opened this issue Jan 28, 2025 · 1 comment

Comments

@Joerki
Copy link

Joerki commented Jan 28, 2025
edited by jkowalleck
Loading

The function call

res = __SPDX_EXPRESSION_LICENSING.validate(value)

in spdx.py's is_compound_expression function

is not checking for a compound expression.

The validate function checks whether the given string is a valid SPDX expression (simple or compound expression) and checks the license values against license_expression module's license database (including SPDX list identifiers and LicenseRef-scancode-* values).

currently

cyclonedx-python-lib/cyclonedx/spdx.py

Lines 62 to 77 in b8cbb59

def is_compound_expression(value: str) -> bool:
"""Validate compound expression.
.. note::
Utilizes `license-expression library`_ to
validate SPDX compound expression according to `SPDX license expression spec`_.
.. _SPDX license expression spec: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/
.. _license-expression library: https://github.com/nexB/license-expression
"""
try:
res = __SPDX_EXPRESSION_LICENSING.validate(value)
except Exception:
# the throw happens when internals crash due to unexpected input characters.
return False
return 0 == len(res.errors)

To check for solely a valid compound expression, it has to be:

from license_expression import get_spdx_licensing, OR, AND

...

    try:
      expression = __SPDX_EXPRESSION_LICENSING.parse(value, validate=True)
      return type(expression) in [OR, AND]
    except Exception:
      ...
...

The class TestSpdxIsCompoundExpression test cases do not consider tests with a single valid SPDX ID from official license list or LicenseRef-scancode-* ID from license-expression's internal database.

With the definition

VALID_COMPOUND_EXPRESSIONS = {
    # for valid test data see the spec: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/
    '(MIT AND Apache-2.0)',
    'BSD-2-Clause OR Apache-2.0',
    'MIT',
    'LicenseRef-scancode-3com-microcode'
}

all cases succeed, even the cases with simple expression.
According to the name and description of is_compound_expression a simple expression license parameter must reult into a failure.
@jkowalleck
Copy link
Member

jkowalleck commented Jan 29, 2025
edited
Loading

proposed fix: rename spdx.is_compound_expression to spdx.is_expression

feel free to pullrequest the needed changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Joerki @jkowalleck