Golang implementation of a checker for determining if an SPDX ID satisfies an SPDX Expression.
Перейти к файлу
Andrew Henry df5d42ebe2 feat: add method for extracting licenses from expression 2023-09-18 13:20:22 -04:00
.github Bump actions/checkout from 3 to 4 2023-09-05 06:33:07 +00:00
cmd add documentation for license extraction utility 2023-01-17 09:33:29 -05:00
script add files required for open-sourcing 2022-10-05 17:18:56 -04:00
spdxexp feat: add method for extracting licenses from expression 2023-09-18 13:20:22 -04:00
.gitignore Initial commit 2022-08-24 07:16:07 -04:00
.golangci.yaml add files required for open-sourcing 2022-10-05 17:18:56 -04:00
CODEOWNERS Add myself to CODEOWNERS 2023-03-20 21:34:17 -04:00
CODE_OF_CONDUCT.md add files required for open-sourcing 2022-10-05 17:18:56 -04:00
CONTRIBUTING.md rename spdx package expression 2022-11-30 19:25:19 -05:00
LICENSE Create LICENSE 2022-08-24 12:32:47 -04:00
README.md Add Go Playground for testing spdx.Satisfies 2023-07-19 13:59:46 -04:00
SECURITY.md add files required for open-sourcing 2022-10-05 17:18:56 -04:00
SUPPORT.md rename spdx package expression 2022-11-30 19:25:19 -05:00
go.mod module name must end in v2 for latest go conventions 2022-12-01 12:09:55 -05:00
go.sum add example tests that will be part of generated docs 2022-11-30 17:58:40 -05:00

README.md

Go Reference

go-spdx

Golang implementation of a checker for determining if a set of SPDX IDs satisfies an SPDX Expression.

Installation

There are several ways to include a go package. To download and install, you can use go get. The command for that is:

go get github.com/github/go-spdx@latest

Packages

  • spdxexp - Expression package validates licenses and determines if a license expression is satisfied by a list of licenses. Validity of a license is determined by the SPDX license list.

Public API

NOTE: The public API is initially limited to the Satisfies and ValidateLicenses functions. If there is interest in the output of the parser or license checking being public, please submit an issue for consideration.

Function: Satisfies

Satisfies(testExpression string, allowedList []string, options *Options)

Parameter: testExpression

testExpression is an SPDX expression describing the licensing terms of source code or a binary file.

Example expressions that can be used for testExpression:

"MIT"
"MIT AND Apache-2.0"
"MIT OR Apache-2.0"
"MIT AND (Apache-1.0 OR Apache-2.0)"
"Apache-1.0+"
"DocumentRef-spdx-tool-1.2:LicenseRef-MIT-Style-2"
"GPL-2.0 WITH Bison-exception-2.2"

See satisfies_test.go for more example expressions.

Parameter: allowedList

allowedList is an array of single licenses describing what licenses can be used to satisfy the testExpression.

Example allowedList:

[]string{"MIT"}
[]string{"MIT", "Apache-2.0"}
[]string{"MIT", "Apache-2.0", "ISC", "GPL-2.0"}
[]string{"MIT", "Apache-1.0+"}
[]string{"GPL-2.0-or-later"}

N.B. If at least one of expressions from allowedList is not a valid SPDX expression, the call to Satisfies will produce an error. Use ValidateLicenses function to first check if all of the expressions from allowedList are valid.

Examples: Satisfies returns true

Go Playground for Satisfies

Satisfies("MIT", []string{"MIT"})
Satisfies("MIT", []string{"MIT", "Apache-2.0"})
Satisfies("Apache-2.0", []string{"Apache-1.0+"})
Satisfies("MIT OR Apache-2.0", []string{"Apache-2.0"})
Satisfies("MIT OR Apache-2.0", []string{"MIT", "Apache-2.0"})
Satisfies("MIT AND Apache-2.0", []string{"MIT", "Apache-2.0"})
Satisfies("MIT AND Apache-2.0", []string{"MIT", "Apache-2.0", "GPL-2.0"})

Examples: Satisfies returns false

Satisfies("MIT", []string{"Apache-2.0"})
Satisfies("Apache-1.0", []string{"Apache-2.0+"})
Satisfies("MIT AND Apache-2.0", []string{"MIT"})

ValidateLicenses

func ValidateLicenses(licenses []string) (bool, []string)

Function ValidateLicenses is used to determine if any of the provided license expressions is invalid.

parameter: licenses

Licenses is a slice of strings which must be validated as SPDX expressions.

returns

Function ValidateLicenses has 2 return values. First is bool which equals true if all of the provided licenses provided are valid, and false otherwise.

The second parameter is a slice of all invalid licenses which were provided.

Examples: ValidateLicenses returns no invalid licenses

valid, invalidLicenses := ValidateLicenses([]string{"Apache-2.0"})
assert.True(valid)
assert.Empty(invalidLicenses)

Examples: ValidateLicenses returns invalid licenses

valid, invalidLicenses := ValidateLicenses([]string{"NON-EXISTENT-LICENSE", "MIT"})
assert.False(valid)
assert.Contains(invalidLicenses, "NON-EXISTENT-LICENSE")
assert.NotContains(invalidLicenses, "MIT")

Examples: ValidateLicenses works with SPDX expressions

valid, invalidLicenses := ValidateLicenses([]string{"MIT AND APACHE-2.0"})
assert.True(valid)
assert.NotContains(invalidLicenses, "MIT AND APACHE-2.0")

Background

This package was developed to support testing whether a repository's license requirements are met by an allowed-list of licenses.

Dependencies are defined in go.mod.

Contributions and requests are welcome. Refer to the Contributing section for more information including how to set up a test environment and install dependencies.

License

This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.

Maintainers

  • @elrayle
  • @ajhenry

Support

You can expect the following support:

  • bug fixes
  • review of feature request issues
  • review of questions in discussions

Contributing

Contributions in the form of bug identification Issues, bug fix PRs, and feature requests are welcome. See CONTRIBUTING.md for more information on how to get involved and set up a testing environment.

NOTE: The list of valid licenses is maintained manually. If you notice a missing license, an excellent way to contribute to the long term viability of this package is to open an Issue or PR addressing the missing license.

Acknowledgement

The process for parsing and evaluating expressions is a translation from JavaScript to Go based heavily on the JavaScript implementation defined across several repositories.