♻️ feat: treat multiple gemspec licenses as 'AND' relationship

pboling · pboling · commit a642a6c8eca6 · 2025-12-19T22:26:11.000-07:00
- When multiple licenses are specified in a gemspec, we now assume all licenses apply (AND) rather than alternatives (OR).
- This is a safer, more conservative approach. Users can override this in the configuration if the intention was OR.
- Added tests for multiple licenses (both non-conflicting and potentially conflicting) to verify they are joined with "AND".
diff --git a/pkg/deps/gemspec_test.go b/pkg/deps/gemspec_test.go
@@ -18,6 +18,7 @@
 package deps
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
@@ -32,8 +33,7 @@ const (
 func TestRubyGemspecResolver(t *testing.T) {
 	resolver := new(GemspecResolver)
 
-	// toml-merge case: parse gemspec, detect license and dependencies
-	{
+	t.Run("toml-merge case", func(t *testing.T) {
 		tmp := t.TempDir()
 		if err := copyRuby("testdata/ruby/toml-merge", tmp); err != nil {
 			t.Fatal(err)
@@ -65,10 +65,9 @@ func TestRubyGemspecResolver(t *testing.T) {
 		if !found {
 			t.Errorf("expected toml-rb dependency, got %v", report.Resolved)
 		}
-	}
+	})
 
-	// citrus case: transitive dependency resolution via installed gems
-	{
+	t.Run("citrus case", func(t *testing.T) {
 		tmp := t.TempDir()
 		gemHome := filepath.Join(tmp, "gemhome")
 		specsDir := filepath.Join(gemHome, "specifications")
@@ -149,5 +148,68 @@ end
 				t.Errorf("expected citrus license MIT, got %s", license)
 			}
 		}
+	})
+
+	t.Run("multiple licenses case (non-conflicting)", func(t *testing.T) {
+		testMultiLicense(t, resolver, "multi-license", "['MIT', 'Apache-2.0']", "MIT AND Apache-2.0")
+	})
+
+	t.Run("multiple licenses case (conflicting/incompatible)", func(t *testing.T) {
+		testMultiLicense(t, resolver, "conflicting-license", "['GPL-2.0', 'Apache-2.0']", "GPL-2.0 AND Apache-2.0")
+	})
+}
+
+func testMultiLicense(t *testing.T, resolver *GemspecResolver, gemName, licensesStr, expectedLicense string) {
+	tmp := t.TempDir()
+	gemHome := filepath.Join(tmp, "gemhome")
+	specsDir := filepath.Join(gemHome, "specifications")
+	if err := os.MkdirAll(specsDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("GEM_HOME", gemHome)
+
+	// Create multi-license gem
+	gemContent := fmt.Sprintf(`
+Gem::Specification.new do |s|
+  s.name = '%s'
+  s.version = '1.0.0'
+  s.licenses = %s
+end
+`, gemName, licensesStr)
+	if err := writeFileRuby(filepath.Join(specsDir, fmt.Sprintf("%s-1.0.0.gemspec", gemName)), gemContent); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create project gemspec
+	projectContent := fmt.Sprintf(`
+Gem::Specification.new do |s|
+  s.name = 'project'
+  s.version = '0.0.1'
+  s.add_dependency '%s', '~> 1.0'
+end
+`, gemName)
+	gemspec := filepath.Join(tmp, "project.gemspec")
+	if err := writeFileRuby(gemspec, projectContent); err != nil {
+		t.Fatal(err)
+	}
+
+	cfg := &ConfigDeps{Files: []string{gemspec}}
+	report := Report{}
+	if err := resolver.Resolve(gemspec, cfg, &report); err != nil {
+		t.Fatal(err)
+	}
+
+	found := false
+	for _, r := range report.Resolved {
+		if r.Dependency == gemName {
+			found = true
+			if r.LicenseSpdxID != expectedLicense {
+				t.Errorf("expected %s license '%s', got '%s'", gemName, expectedLicense, r.LicenseSpdxID)
+			}
+			break
+		}
+	}
+	if !found {
+		t.Errorf("expected %s dependency", gemName)
 	}
 }
diff --git a/pkg/deps/ruby.go b/pkg/deps/ruby.go
@@ -160,10 +160,43 @@ func (r *GemspecResolver) CanResolve(file string) bool {
 // them along with their transitive dependencies. It reports the found dependencies
 // and their licenses.
 func (r *GemspecResolver) Resolve(file string, config *ConfigDeps, report *Report) error {
-	f, err := os.Open(file)
+	deps, err := parseInitialDependencies(file)
 	if err != nil {
 		return err
 	}
+
+	if errResolve := resolveTransitiveDependencies(deps); errResolve != nil {
+		return errResolve
+	}
+
+	for name, version := range deps {
+		if exclude, _ := config.IsExcluded(name, version); exclude {
+			continue
+		}
+		if l, ok := config.GetUserConfiguredLicense(name, version); ok {
+			report.Resolve(&Result{Dependency: name, LicenseSpdxID: l, Version: version})
+			continue
+		}
+
+		// Check installed gems first, then fallback to RubyGems API
+		licenseID := fetchInstalledLicense(name, version)
+		if licenseID == "" {
+			licenseID, err = fetchRubyGemsLicense(name, version)
+		}
+		if err != nil || licenseID == "" {
+			report.Skip(&Result{Dependency: name, LicenseSpdxID: Unknown, Version: version})
+			continue
+		}
+		report.Resolve(&Result{Dependency: name, LicenseSpdxID: licenseID, Version: version})
+	}
+	return nil
+}
+
+func parseInitialDependencies(file string) (map[string]string, error) {
+	f, err := os.Open(file)
+	if err != nil {
+		return nil, err
+	}
 	defer f.Close()
 
 	scanner := bufio.NewScanner(f)
@@ -181,10 +214,12 @@ func (r *GemspecResolver) Resolve(file string, config *ConfigDeps, report *Repor
 		}
 	}
 	if err := scanner.Err(); err != nil {
-		return err
+		return nil, err
 	}
+	return deps, nil
+}
 
-	// Recursive resolution
+func resolveTransitiveDependencies(deps map[string]string) error {
 	queue := make([]string, 0, len(deps))
 	visited := make(map[string]struct{}, len(deps))
 	for name := range deps {
@@ -214,7 +249,8 @@ func (r *GemspecResolver) Resolve(file string, config *ConfigDeps, report *Repor
 		for _, dep := range newDeps {
 			if _, ok := visited[dep]; !ok {
 				if len(queue) >= 10000 {
-					return fmt.Errorf("dependency graph exceeded maximum size of 10000 nodes (current: %d). This may indicate a circular dependency or an unusually large dependency tree.", len(queue))
+					return fmt.Errorf("dependency graph exceeded maximum size of 10000 nodes (current: %d). "+
+						"This may indicate a circular dependency or an unusually large dependency tree", len(queue))
 				}
 				visited[dep] = struct{}{}
 				queue = append(queue, dep)
@@ -224,28 +260,6 @@ func (r *GemspecResolver) Resolve(file string, config *ConfigDeps, report *Repor
 			}
 		}
 	}
-
-	for name, version := range deps {
-		if exclude, _ := config.IsExcluded(name, version); exclude {
-			continue
-		}
-		if l, ok := config.GetUserConfiguredLicense(name, version); ok {
-			report.Resolve(&Result{Dependency: name, LicenseSpdxID: l, Version: version})
-			continue
-		}
-
-		// Check installed gems first, then fallback to RubyGems API
-		licenseID := fetchInstalledLicense(name, version)
-		var err error
-		if licenseID == "" {
-			licenseID, err = fetchRubyGemsLicense(name, version)
-		}
-		if err != nil || licenseID == "" {
-			report.Skip(&Result{Dependency: name, LicenseSpdxID: Unknown, Version: version})
-			continue
-		}
-		report.Resolve(&Result{Dependency: name, LicenseSpdxID: licenseID, Version: version})
-	}
 	return nil
 }
 
@@ -613,16 +627,16 @@ func parseGemspecInfo(path string) (gemName, gemLicense string, err error) {
 				}
 				if len(licenses) > 0 {
 					// NOTE: When multiple licenses are declared in the gemspec, we assume they are
-					// alternatives and represent them with SPDX-style "OR". Some gems may instead
-					// intend all listed licenses to apply ("AND"), which is not distinguished here.
+					// all required ("AND") to be conservative. If the author intended "OR",
+					// the user can override this in the configuration.
 					if len(licenses) > 1 {
 						gemRef := name
 						if gemRef == "" {
 							gemRef = path
 						}
-						logger.Log.Warnf("Multiple licenses found for gem %s: %v. Assuming 'OR' relationship.", gemRef, licenses)
+						logger.Log.Warnf("Multiple licenses found for gem %s: %v. Assuming 'AND' relationship for safety.", gemRef, licenses)
 					}
-					license = strings.Join(licenses, " OR ")
+					license = strings.Join(licenses, " AND ")
 				}
 			}
 		}
diff --git a/pkg/deps/ruby_test.go b/pkg/deps/ruby_test.go
@@ -358,7 +358,7 @@ func TestGemspecIgnoresCommentedRuntimeDependencies(t *testing.T) {
 func TestFetchInstalledLicense(t *testing.T) {
 	gemHome := t.TempDir()
 	specsDir := filepath.Join(gemHome, "specifications")
-	if err := os.MkdirAll(specsDir, 0755); err != nil {
+	if err := os.MkdirAll(specsDir, 0o755); err != nil {
 		t.Fatal(err)
 	}
 
@@ -370,7 +370,7 @@ Gem::Specification.new do |s|
   s.licenses = ["%s"]
 end
 `, name, version, license)
-		if err := os.WriteFile(filepath.Join(specsDir, filename), []byte(content), 0644); err != nil {
+		if err := os.WriteFile(filepath.Join(specsDir, filename), []byte(content), 0o600); err != nil {
 			t.Fatal(err)
 		}
 	}
@@ -410,6 +410,7 @@ end
 }
 
 func TestRubyGemfileLockResolver_PathTraversal(t *testing.T) {
+	const evil = "evil"
 	resolver := new(GemfileLockResolver)
 	dir := t.TempDir()
 
@@ -423,7 +424,7 @@ Gem::Specification.new do |s|
   s.version = "1.0.0"
   s.licenses = ["Evil-License"]
 end
-`), 0644); err != nil {
+`), 0o600); err != nil {
 		t.Fatal(err)
 	}
 
@@ -466,7 +467,7 @@ BUNDLED WITH
 
 	found := false
 	for _, r := range report.Resolved {
-		if r.Dependency == "evil" {
+		if r.Dependency == evil {
 			found = true
 			if r.LicenseSpdxID == "Evil-License" {
 				t.Errorf("Path traversal succeeded! Found license from outside directory.")
@@ -475,7 +476,7 @@ BUNDLED WITH
 	}
 	// If it's skipped, that's also fine (means it didn't resolve license)
 	for _, r := range report.Skipped {
-		if r.Dependency == "evil" {
+		if r.Dependency == evil {
 			found = true
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -358,7 +358,7 @@ func TestGemspecIgnoresCommentedRuntimeDependencies(t *testing.T) {`
`358`	`358`	`func TestFetchInstalledLicense(t *testing.T) {`
`359`	`359`	`gemHome := t.TempDir()`
`360`	`360`	`specsDir := filepath.Join(gemHome, "specifications")`
`361`		`- if err := os.MkdirAll(specsDir, 0755); err != nil {`
	`361`	`+ if err := os.MkdirAll(specsDir, 0o755); err != nil {`
`362`	`362`	`t.Fatal(err)`
`363`	`363`	`}`
`364`	`364`
`@@ -370,7 +370,7 @@ Gem::Specification.new do \|s\|`
`370`	`370`	`s.licenses = ["%s"]`
`371`	`371`	`end`
`372`	`372`	`, name, version, license)
`373`		`- if err := os.WriteFile(filepath.Join(specsDir, filename), []byte(content), 0644); err != nil {`
	`373`	`+ if err := os.WriteFile(filepath.Join(specsDir, filename), []byte(content), 0o600); err != nil {`
`374`	`374`	`t.Fatal(err)`
`375`	`375`	`}`
`376`	`376`	`}`
`@@ -410,6 +410,7 @@ end`
`410`	`410`	`}`
`411`	`411`
`412`	`412`	`func TestRubyGemfileLockResolver_PathTraversal(t *testing.T) {`
	`413`	`+ const evil = "evil"`
`413`	`414`	`resolver := new(GemfileLockResolver)`
`414`	`415`	`dir := t.TempDir()`
`415`	`416`
`@@ -423,7 +424,7 @@ Gem::Specification.new do \|s\|`
`423`	`424`	`s.version = "1.0.0"`
`424`	`425`	`s.licenses = ["Evil-License"]`
`425`	`426`	`end`
`426`		-`), 0644); err != nil {
	`427`	+`), 0o600); err != nil {
`427`	`428`	`t.Fatal(err)`
`428`	`429`	`}`
`429`	`430`
`@@ -466,7 +467,7 @@ BUNDLED WITH`
`466`	`467`
`467`	`468`	`found := false`
`468`	`469`	`for _, r := range report.Resolved {`
`469`		`- if r.Dependency == "evil" {`
	`470`	`+ if r.Dependency == evil {`
`470`	`471`	`found = true`
`471`	`472`	`if r.LicenseSpdxID == "Evil-License" {`
`472`	`473`	`t.Errorf("Path traversal succeeded! Found license from outside directory.")`
`@@ -475,7 +476,7 @@ BUNDLED WITH`
`475`	`476`	`}`
`476`	`477`	`// If it's skipped, that's also fine (means it didn't resolve license)`
`477`	`478`	`for _, r := range report.Skipped {`
`478`		`- if r.Dependency == "evil" {`
	`479`	`+ if r.Dependency == evil {`
`479`	`480`	`found = true`
`480`	`481`	`}`
`481`	`482`	`}`