License metadata absent from .nupkg

[Jonny-Collins]

Describe the issue

The published NuGet packages for Amazon.Lambda.* packages do not carry SPDX license metadata in their .nuspec.

The repo itself is Apache-2.0 and ships a LICENSE file at the root, but because the project files don't set <PackageLicenseExpression>, that information never makes it into the package metadata that NuGet, SBOM generators, and SCA / license-compliance tools consume.

Links

Link here to see MS docs on SPDX.

[GarrettBeatty]

hi @Jonny-Collins which specific versions are you referencing because i do see it fixed in the latest versions. and i believe it was fixed in https://github.com/aws/aws-lambda-dotnet/pull/1890/changes#diff-eba9642e986662ff2a58555ba7ce160d2074918e232616b6ac291eecd3fe42c5

+ #!/bin/bash
+ # Compare .nuspec license metadata between two versions of a NuGet package
+ # Usage: ./compare-nuspec-license.sh <package-id> <old-version> <new-version>
+ #
+ # Example: ./compare-nuspec-license.sh Amazon.Lambda.Core 2.5.0 2.8.1
+ 
+ set -euo pipefail
+ 
+ PKG="${1:?Usage: $0 <package-id> <old-version> <new-version>}"
+ OLD="${2:?Missing old version}"
+ NEW="${3:?Missing new version}"
+ PKG_LOWER=$(echo "$PKG" | tr '[:upper:]' '[:lower:]')
+ BASE="https://api.nuget.org/v3-flatcontainer/${PKG_LOWER}"
+ TMP=$(mktemp -d)
+ 
+ for VER in "$OLD" "$NEW"; do
+   URL="${BASE}/${VER}/${PKG_LOWER}.${VER}.nupkg"
+   NUPKG="${TMP}/${VER}.nupkg"
+   NUSPEC="${TMP}/${VER}.nuspec"
+ 
+   echo "Downloading ${PKG} ${VER}..."
+   if ! curl -sfL "$URL" -o "$NUPKG"; then
+     echo "ERROR: Failed to download ${URL}" >&2; exit 1
+   fi
+   unzip -p "$NUPKG" "*.nuspec" > "$NUSPEC"
+ done
+ 
+ echo ""
+ echo "=== ${PKG} ${OLD} ==="
+ grep -iE "<license|<licenseUrl" "${TMP}/${OLD}.nuspec" | sed 's/^[[:space:]]*/  /' || echo "  (no license metadata)"
+ 
+ echo ""
+ echo "=== ${PKG} ${NEW} ==="
+ grep -iE "<license|<licenseUrl" "${TMP}/${NEW}.nuspec" | sed 's/^[[:space:]]*/  /' || echo "  (no license metadata)"
+ 
+ echo ""
+ echo "=== Full diff of .nuspec ==="
+ diff -u "${TMP}/${OLD}.nuspec" "${TMP}/${NEW}.nuspec" \
+   --label "${PKG}-${OLD}.nuspec" --label "${PKG}-${NEW}.nuspec" || true
+ 
+ rm -rf "$TMP"

./compare-nuspec-license.sh Amazon.Lambda.Core 2.5.0 2.8.1

(26-04-29 15:13:12) <0> [~/aws-lambda-dotnet-2348]
dev-dsk-gcbeatty-1e-8842d0e1 % ./compare-nuspec-license.sh Amazon.Lambda.Core 2.5.0 2.8.1
Downloading Amazon.Lambda.Core 2.5.0...
Downloading Amazon.Lambda.Core 2.8.1...

=== Amazon.Lambda.Core 2.5.0 ===
  <licenseUrl>http://aws.amazon.com/apache2.0/</licenseUrl>

=== Amazon.Lambda.Core 2.8.1 ===
  <license type="expression">Apache-2.0</license>
  <licenseUrl>https://licenses.nuget.org/Apache-2.0</licenseUrl>

=== Full diff of .nuspec ===
--- Amazon.Lambda.Core-2.5.0.nuspec
+++ Amazon.Lambda.Core-2.8.1.nuspec
@@ -2,9 +2,10 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2012/06/nuspec.xsd">
   <metadata>
     <id>Amazon.Lambda.Core</id>
-    <version>2.5.0</version>
+    <version>2.8.1</version>
     <authors>Amazon Web Services</authors>
-    <licenseUrl>http://aws.amazon.com/apache2.0/</licenseUrl>
+    <license type="expression">Apache-2.0</license>
+    <licenseUrl>https://licenses.nuget.org/Apache-2.0</licenseUrl>
     <readme>README.md</readme>
     <projectUrl>https://github.com/aws/aws-lambda-dotnet</projectUrl>
     <iconUrl>https://sdk-for-net.amazonwebservices.com/images/AWSLogo128x128.png</iconUrl>

(26-04-29 15:13:21) <0> [~/aws-lambda-dotnet-2348]
dev-dsk-gcbeatty-1e-8842d0e1 %

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.