I was very surprised when a document with arbitrary strings for license names was validated as valid SPDX.

Is the validation only on the structural level and not on the value of strings?

For example, https://gist.github.com/zvr/0c07cf7c88c12abb62822592cf73e033 has a complete document that the online tools show as valid SPDX (and happily convert to other formats).

I would imagine that the license strings Apache-2.0-with-LLVM-exception, GPL-2.0-with-OpenSSL-exception, and GPL-3.0-with-GCC-exception are not valid SPDX License Expresssions.

Thanks @zvr for reporting this.

Something is definitely broken in verify.

The above referenced license ID's would be interpreted as a non-listed license by the parser. I checked and verify should report an error if a non-listed license doesn't start with LicenseRef-, but for some reason verify is not getting called on the extracted license.

There was a recent performance optimization, I wonder if that broke this functionality. I'll do some more digging today or over the weekend.

Found the issue - it was a performance optimization made some time ago which assumes the parser is validating all elements - apparently this isn't true for the JSON parser.

The issue is with the SPDX Java Library - transferring this issue to that repo.