fix: Limit multiple license splits to SPDX OR

thehale · thehale · commit da8d06e8ad1f · 2023-05-03T18:30:09.000-07:00
The previous implementation split on a lowercase ` or ` which broke several licenses in the GPL family. This commit fixes that by only splitting on SPDX ` OR ` (including surrounding spaces) which is case sensitive. fixes #101
diff --git a/liccheck/command_line.py b/liccheck/command_line.py
@@ -262,10 +262,9 @@ def check_one(license_str, license_rule="AUTHORIZED", as_regex=False):
 def get_license_names(licenses):
     names = []
     for license in licenses:
-        license = license.lower()
-        options = license.split(" or ")
+        options = license.split(" OR ")
         for option in options:
-            names.append(option)
+            names.append(option.lower())
     return names
 
 def find_parents(package, all, seen):
diff --git a/tests/test_check_package.py b/tests/test_check_package.py
@@ -28,7 +28,7 @@ def packages():
         {
             "name": "auth_one_or_unauth_one",
             "version": "2",
-            "licenses": ["authorized 1 or unauthorized 1"],
+            "licenses": ["authorized 1 OR unauthorized 1"],
         },
         {
             "name": "unauth_one",
@@ -57,6 +57,12 @@ def packages():
         },
     ]
 
+def strategy_with_one_auth(license):
+    return Strategy(
+        authorized_licenses=[license.lower()],
+        unauthorized_licenses=[],
+        authorized_packages={},
+    )
 
 @pytest.mark.parametrize(
     ("strategy_params", "as_regex"),
@@ -92,3 +98,33 @@ def test_check_package(strategy_params, packages, level, reasons, as_regex):
     strategy = Strategy(**strategy_params)
     for package, reason in zip(packages, reasons):
         assert check_package(strategy, package, level, as_regex) is reason
+
+@pytest.mark.parametrize(
+    "license", [
+        "GNU Library or Lesser General Public License (LGPL)",
+        "GNU Lesser General Public License v2 or later (LGPLv2+)"
+    ]
+)
+def test_check_package_respects_licences_with_a_lowercase_or(license):
+    strategy = strategy_with_one_auth(license)
+    package = {
+        "name": "lgpl_example",
+        "version": "2",
+        "licenses": [license],
+    }
+    assert check_package(strategy, package, Level.STANDARD, False) is OK
+
+def test_check_package_splits_licenses_with_SPDX_OR():
+    # The SPDX standard allows packages to specific dual licenses with an OR operator.
+    # See https://spdx.org/spdx-specification-21-web-version#h.jxpfx0ykyb60
+    mit_strategy = strategy_with_one_auth("MIT")
+    apache_strategy = strategy_with_one_auth("Apache-2.0")
+    gpl_strategy = strategy_with_one_auth("GPL-2.0-or-later")
+    package = {
+        "name": "mit_example",
+        "version": "2",
+        "licenses": ["MIT OR Apache-2.0"],
+    }
+    assert check_package(mit_strategy, package, Level.STANDARD, False) is OK
+    assert check_package(apache_strategy, package, Level.STANDARD, False) is OK
+    assert check_package(gpl_strategy, package, Level.STANDARD, False) is UNKNOWN
