Release v2.0.1

Overview

This updates the module name to end in /v2. This is required by go get when there is a major version change.

Required Action for Upgrading

Run the following to update to this release.

go get github.com/github/go-spdx/v2@v2.0.1

Details

The initial release of v2.0.0 did not update the module name. When trying to update to that version, you will see an error.

$ go get -u github.com/github/go-spdx@v2.0.0
go: github.com/github/go-spdx@v2.0.0: invalid version: module contains a go.mod file, so module path must match major version ("github.com/github/go-spdx/v2")

To address this, the v2.0.1 release updates the module name to end in /v2.

What's Changed

• module name must end in v2 for latest go conventions #28 (elrayle)

Full Changelog: v2.0.0...v2.0.1

Release v2.0.0

Overview

This is a breaking change that renames the primary package from expression to spdxexp. This provides better context in use (e.g. spdxexp.Satisfies).

Required Action for Upgrading

Run the following to update to this release.

go get github.com/github/go-spdx@v2.0.0

What's Changed

• rename package from expression to spdxexp #27 (elrayle)

Full Changelog: v1.0.0...v2.0.0

Release v1.0.0

Overview

This is a major change that renames the repository from spdx-expression to go-spdx. It also renames the primary package from spdxexp to expression. Both changes are designed to more closely align naming with go conventions.

Required Action for Upgrading

Run the following to update to this release.

go get github.com/github/go-spdx@v1.0.0

What's Changed

• rename repository to go-spdx
• rename spdx package expression #26 (elrayle)

Full Changelog: v0.3.2...v1.0.0

Release v0.3.2

Overview

Improve documentation with examples and package level doc.

Required Action for Upgrading

There are no steps required to move to this release.

What's Changed

• add example tests that will be part of generated docs #24 (@elrayle)
• add package level documentation #25 (elrayle)

Full Changelog: v0.3.1...v0.3.2

Release v0.3.1

Overview

Add test case for OTHER license. Add TestSatisfiesSingle that makes it easy to modify variables and run an ad hoc test.

Required Action for Upgrading

There are no steps required to move to this release. This release adds adds tests only.

Details

TestSatisfiesSingle

You can test the Satisfies function with specific values and set the expected outcome. To create an ad hoc test:

• edit spdx/satisfies_test.go
• update variables for parameters (i.e. expression, allowedList)
• update expectedResult to either true or false
• run the test

go test ./spdxexp -run TestSatisfiesSingle

What's Changed

• add test that can be easily updated to validate a specific expression to an allowed-list #22 (@elrayle)
• add test that includes OTHER error #23 (elrayle)

Full Changelog: v0.3.0...v0.3.1

Release v0.3.0

Overview

Add public API function ValidateLicenses which is used to determine if any of the provided licenses are invalid.

Required Action for Upgrading

There are no steps required to move to this release. This release adds an additional function to the public API. There are no changes to the existing API functions.

Details

ValidateLicenses

// ValidateLicenses checks if given licenses are valid according to spdx.  Returns true if all the licenses are valid; otherwise, returns false and a slice of the invalid licenses.
ValidateLicenses(licenses []string) (bool, []string)

parameter: licenses

Licenses is a slice of strings which must be validated as SPDX expressions.

returns

Function ValidateLicenses has 2 return values. First is bool which equals true if all of
the provided licenses provided are valid, and false otherwise.

The second parameter is a slice of all invalid licenses which were provided.

Examples: ValidateLicenses returns no invalid licenses

valid, invalidLicenses := ValidateLicenses([]string{"Apache-2.0"})
assert.True(valid)
assert.Empty(invalidLicenses)

Examples: ValidateLicenses returns invalid licenses

valid, invalidLicenses := ValidateLicenses([]string{"NON-EXISTENT-LICENSE", "MIT"})
assert.False(valid)
assert.Contains(invalidLicenses, "NON-EXISTENT-LICENSE")
assert.NotContains(invalidLicenses, "MIT")

What's Changed

• Add a function to validate licenses #20 (@RomanIakovlev)

Full Changelog: v0.2.0...v0.3.0

Release v0.2.0

Overview

This release adds support to pass LicenseRef and DocumentRef to the Satisfied function as part of an SPDX License Expressions.

Required Action for Upgrading

There are no steps required to move to this release. This release is filling out functionality in the existing infrastructure. There are no API changes.

Details

What is a LicenseRef and DocumentRef

The specification defines these terms in Annex D: SPDX License Expressions.

An SPDX user defined license reference: ["DocumentRef-"1*(idstring)":"]"LicenseRef-"1*(idstring)

Examples:

LicenseRef-23
LicenseRef-MIT-Style-1
DocumentRef-spdx-tool-1.2:LicenseRef-MIT-Style-2

How to use with Satisfies

Examples

allowedListWithout := []string{"MIT", "Apache-2.0"})
allowedListWithLicenseRef := []string{"MIT", "Apache-2.0", "LicenseRef-X-BSD-3-Clause-Golang"}
allowedListWithDocumentRefLicenseRef := []string{"MIT", "Apache-2.0", "DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang"}

Satisfies("LicenseRef-X-BSD-3-Clause-Golang", allowedListWithLicenseRef) // true
Satisfies("MIT AND LicenseRef-X-BSD-3-Clause-Golang", allowedListWithLicenseRef) // true
Satisfies("MIT AND Apache-2.0", allowedListWithLicenseRef) // true

Satisfies("MIT AND LicenseRef-X-BSD-3-Clause-Golang", allowedListWithout) // false

Satisfies("DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithDocumentRefLicenseRef) // true
Satisfies("MIT AND DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithDocumentRefLicenseRef) // true
Satisfies("MIT AND Apache-2.0", allowedListWithDocumentRefLicenseRef) // true

Satisfies("MIT AND DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithout) // false
Satisfies("MIT AND DocumentRef-spdx-tool-1.2:LicenseRef-X-BSD-3-Clause-Golang", allowedListWithLicenseRef) // false
Satisfies("MIT AND LicenseRef-X-BSD-3-Clause-Golang", allowedListWithDocumentRefLicenseRef) // false

Use case for extending the list of valid licenses

Go and the related golang.org/x libraries are licensed under a BSD-3-Clause license plus a patent grant from Google that makes a stipulation about not suing them over patent infringement for that package.

SPDX explicitly said they didn't want to call the patent grant an "exception" Issue #646 and a new license string has not been included. ClearlyDefined, following their lead, returns this license as BSD-3-Clause AND OTHER.

This use case can be handled by using a user defined LicenseRef that extends the canonical set defined by SPDX.

NOTE: Adding OTHER as a LicenseRef is too broad. In our local work using spdx-expression, BSD-3-Clause AND OTHER is manually converted to the testExpression LicenseRef-X-BSD-3-Clause-Golang before calling Satisfies. LicenseRef-X-BSD-3-Clause-Golang needs to be in the allowedList. The examples in How to use with Satisfies section shows the use of this LicenseRef.

What's Changed

• add support for licenseRefs processing in Satisfies #19 (@elrayle)

Full Changelog: v0.1.0...v0.2.0

Release v0.1.0

Overview

This is the first release of spdx-expression repository defining the spdxexp go package. The package defines a single function in the public API to check compatibility of an SPDX expression (e.g. Apache-2.0 AND MIT) with an allowed list of licenses (e.g. Apache-2.0, ISC, MIT). A common use case is checking the license requirements for a repository against a policy list of allowed licenses.

Public API

Satisfies

Function definition:

func Satisfies( testExpression string, allowedList []string)

where,

• testExpression string is a valid SPDX license expression (e.g. "MIT", "Apache-1.0+", "MIT AND Apache-2.0", "MIT OR Apache-2.0")
• allowedList []string is an array of SPDX license identifiers (e.g. ["MIT" "Apache-1.0+"]). Licenses in the allowedList are generally single license identifiers (e.g. "MIT", "Apache-1.0", "Apache-2.0"). There is support for a subset of SPDX license expressions. The supported subset is limited to specifying multi-versions (e.g. "Apache-1.0+", "GPL-2.0-or-later") and exceptions (e.g. "Apache-2.0 with Bison-exception-2.2").

Limitations

In this release, there is limited support for LicenseRef and DocumentRef. Expressions and licensing using these may not resolve as expected.