SPDX is_compound_expression does not strictly check for compound expression

[Joerki]

The function call

res = __SPDX_EXPRESSION_LICENSING.validate(value)

in spdx.py's is_compound_expression function

is not checking for a compound expression.

The validate function checks whether the given string is a valid SPDX expression (simple or compound expression) and checks the license values against license_expression module's license database (including SPDX list identifiers and LicenseRef-scancode-* values).

currently

cyclonedx-python-lib/cyclonedx/spdx.py

Lines 62 to 77 in b8cbb59

	def is_compound_expression(value: str) -> bool:
	"""Validate compound expression.
	.. note::
	Utilizes `license-expression library`_ to
	validate SPDX compound expression according to `SPDX license expression spec`_.
	.. _SPDX license expression spec: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/
	.. _license-expression library: https://github.com/nexB/license-expression
	"""
	try:
	res = __SPDX_EXPRESSION_LICENSING.validate(value)
	except Exception:
	# the throw happens when internals crash due to unexpected input characters.
	return False
	return 0 == len(res.errors)

To check for solely a valid compound expression, it has to be:

from license_expression import get_spdx_licensing, OR, AND

...

    try:
      expression = __SPDX_EXPRESSION_LICENSING.parse(value, validate=True)
      return type(expression) in [OR, AND]
    except Exception:
      ...
...

The class TestSpdxIsCompoundExpression test cases do not consider tests with a single valid SPDX ID from official license list or LicenseRef-scancode-* ID from license-expression's internal database.

With the definition

VALID_COMPOUND_EXPRESSIONS = {
    # for valid test data see the spec: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/
    '(MIT AND Apache-2.0)',
    'BSD-2-Clause OR Apache-2.0',
    'MIT',
    'LicenseRef-scancode-3com-microcode'
}

all cases succeed, even the cases with simple expression.
According to the name and description of is_compound_expression a simple expression license parameter must reult into a failure.

[jkowalleck]

proposed fix: rename spdx.is_compound_expression to spdx.is_expression

feel free to pullrequest the needed changes.

[jkowalleck]

my immidiate reaction was to simply rename the function from is_compound_expression to is_expression and mark this a breaking change.

[jkowalleck]

will close this ticket, as all possible was addressed in individual PRs.

• docs: docs: extended instructions for "contributing" #783
• tests: tests: revisit spdx.is_expression() #782
• refactor to prevent confusion: refactor: rename spdx.is_compund_expression -> spdx.is_expression  #779

[jkowalleck]

Thank you for your efforts and persistence, @Joerki .

I think most things could be addressed (see #765 (comment))

And the rest could not be fixed right away.
This caused new errors in 3rd-party libraries:

• caused SPDX validation should consider LicenseRef-* that are not in the database aboutcode-org/license-expression#109
• caused SPDX validation should consider arbitrary expressions in format <KNOWN-LICENSE-ID>"+" as valid aboutcode-org/license-expression#110