Are license expressions validated ?
zvr opened this issue · comments
I was very surprised when a document with arbitrary strings for license names was validated as valid SPDX.
Is the validation only on the structural level and not on the value of strings?
For example, https://gist.github.com/zvr/0c07cf7c88c12abb62822592cf73e033 has a complete document that the online tools show as valid SPDX (and happily convert to other formats).
I would imagine that the license strings Apache-2.0-with-LLVM-exception
, GPL-2.0-with-OpenSSL-exception
, and GPL-3.0-with-GCC-exception
are not valid SPDX License Expresssions.
Thanks @zvr for reporting this.
Something is definitely broken in verify.
The above referenced license ID's would be interpreted as a non-listed license by the parser. I checked and verify should report an error if a non-listed license doesn't start with LicenseRef-
, but for some reason verify is not getting called on the extracted license.
There was a recent performance optimization, I wonder if that broke this functionality. I'll do some more digging today or over the weekend.
Found the issue - it was a performance optimization made some time ago which assumes the parser is validating all elements - apparently this isn't true for the JSON parser.
The issue is with the SPDX Java Library - transferring this issue to that repo.