Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In SPDX output, have PackageLicenseDeclared give the license directly instead of creating an unnecessary LicenseRef. #1147

Closed
vargenau opened this issue Apr 6, 2022 · 6 comments · Fixed by #1159
Closed

In SPDX output, have PackageLicenseDeclared give the license directly instead of creating an unnecessary LicenseRef. #1147

vargenau opened this issue Apr 6, 2022 · 6 comments · Fixed by #1159

Comments

@vargenau
Copy link
Contributor

vargenau commented Apr 6, 2022

Describe the Feature
In SPDX output, have PackageLicenseDeclared give the license directly instead of creating an unnecessary LicenseRef.

Use Cases
It will be easier for tools to process the SPDX files.

Implementation Changes
One would need to be able to identify a license already in SPDX format.

Tern is run with the following command:

tern report -f spdxtagvalue -i danmcni/danm-cni-plugins:latest -o danm-cni-plugins.spdx

danm-cni-plugins.spdx.txt

In the SPDX output file, you have the following:

PackageLicenseDeclared: LicenseRef-c66410f

and

LicenseID: LicenseRef-c66410f
ExtractedText: <text>Original license: GPL-2.0-only</text>

The license here is correctly detected and the name is the one found in the SPDX license list.
So it would be much better to output:

PackageLicenseDeclared: GPL-2.0-only
@rnjudge
Copy link
Contributor

rnjudge commented Apr 12, 2022

Thanks for the issue @vargenau. Unfortunately, we can't always use the direct license value as we have no way of checking currently if the license is an approved license on the SPDX license list. Additionally, sometimes licenses that are on the approved license list are not reported using the correct identifier and we would need a way to interpret these causes and augment these licenses to their correct license identifier. Therefore, we have to default to using a LicenseRef currently.

Your suggestion would certainly be a good enhancement and we have an issue open for this: #281. There was also talk in the SPDX community a few years ago about creating a license mapping repo but not much work has been done on this yet. I think the repo was created but no commits have been added.

@vargenau
Copy link
Contributor Author

Hi Rose,

The following Python code should be able to do the job: https://pypi.org/project/spdx-lookup/.

Are you aware of it?

@ivanayov
Copy link
Contributor

I can work on this.

@rnjudge
Copy link
Contributor

rnjudge commented Apr 14, 2022

Hi Rose,

The following Python code should be able to do the job: https://pypi.org/project/spdx-lookup/.

Are you aware of it?

I was not aware, thank you! We will try to use this.

@vargenau
Copy link
Contributor Author

Hi,

I have found a better SPDX license expression parser:
https://github.com/nexB/license-expression

To install it:

pip install license-expression

Then you have to apply the following patch to file formats/spdx/spdxtagvalue/package_helpers.py

12a13
> from license_expression import get_spdx_licensing
13a15,19
> def is_spdx_license_expression(license):
>     '''Return True if the license is a valid SPDX license expression, else
>     return False'''
>     licensing = get_spdx_licensing()
>     return licensing.validate(license).errors == []
56,58c62,68
<     if mapping['PackageLicenseDeclared']:
<         block += 'PackageLicenseDeclared: {}\n'.format(
<             spdx_common.get_license_ref(mapping['PackageLicenseDeclared']))
---
>     declared = mapping['PackageLicenseDeclared']
>     if declared:
>         if is_spdx_license_expression(declared):
>             block += 'PackageLicenseDeclared: ' + declared + '\n'
>         else:
>             block += 'PackageLicenseDeclared: {}\n'.format(
>                 spdx_common.get_license_ref(declared))

This will produce a PackageLicenseDeclared as proposed above.

What remains to do is to remove the now useless LicenseID and ExtractedText that are still generated, I did not find an easy way to do it.

Also, the is for the SPDX tag;value format only, I did tot check what needs to be done for the SPDX JSON format.

Tell me if this is useful and can be integrated.

@ivanayov ivanayov mentioned this issue Apr 20, 2022
Merged
@ivanayov
Copy link
Contributor

Thank you @vargenau , it was very useful. It's addressed for both tag/value and json in #1159.

rnjudge added a commit that referenced this issue Jun 9, 2022
@rnjudge
Use license text instead of LicenseRef if possible
878aafb 
Previously the `PackageLicenseDeclared` and `licenseDeclared` data
for spdxtagvalue and spdxjson, respectively, were set to license reference
of type LicenseRef-df8cb33 which is not informative. This change updates
that data to the actual license info, f.e. MIT, in case a license is declared,
or the LicenseRef-df8cb33 value if it's not

Resolves #1147

Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
@rnjudge rnjudge mentioned this issue Dec 1, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update license data to show actual license type instead of license ref ivanayov/tern
3 participants
@vargenau @ivanayov @rnjudge