go-spdx

Golang implementation of a checker for determining if a set of SPDX IDs satisfies an SPDX Expression.

Installation

There are several ways to include a go package. To download and install, you can use go get. The command for that is:

go get github.com/github/go-spdx@latest

Packages

• spdxexp - Expression package validates licenses and determines if a license expression is satisfied by a list of licenses. Validity of a license is determined by the SPDX license list.

Public API

NOTE: The public API is initially limited to the Satisfies and ValidateLicenses functions. If there is interest in the output of the parser or license checking being public, please submit an issue for consideration.

Function: Satisfies

Satisfies(testExpression string, allowedList []string, options *Options)

Parameter: testExpression

testExpression is an SPDX expression describing the licensing terms of source code or a binary file.

Example expressions that can be used for testExpression:

"MIT"
"MIT AND Apache-2.0"
"MIT OR Apache-2.0"
"MIT AND (Apache-1.0 OR Apache-2.0)"
"Apache-1.0+"
"DocumentRef-spdx-tool-1.2:LicenseRef-MIT-Style-2"
"GPL-2.0 WITH Bison-exception-2.2"

See satisfies_test.go for more example expressions.

Parameter: allowedList

allowedList is an array of single licenses describing what licenses can be used to satisfy the testExpression.

Example allowedList:

[]string{"MIT"}
[]string{"MIT", "Apache-2.0"}
[]string{"MIT", "Apache-2.0", "ISC", "GPL-2.0"}
[]string{"MIT", "Apache-1.0+"}
[]string{"GPL-2.0-or-later"}

N.B. If at least one of expressions from allowedList is not a valid SPDX expression, the call to Satisfies will produce an error. Use ValidateLicenses function to first check if all of the expressions from allowedList are valid.

Examples: Satisfies returns true

Go Playground for Satisfies

Satisfies("MIT", []string{"MIT"})
Satisfies("MIT", []string{"MIT", "Apache-2.0"})
Satisfies("Apache-2.0", []string{"Apache-1.0+"})
Satisfies("MIT OR Apache-2.0", []string{"Apache-2.0"})
Satisfies("MIT OR Apache-2.0", []string{"MIT", "Apache-2.0"})
Satisfies("MIT AND Apache-2.0", []string{"MIT", "Apache-2.0"})
Satisfies("MIT AND Apache-2.0", []string{"MIT", "Apache-2.0", "GPL-2.0"})

Examples: Satisfies returns false

Satisfies("MIT", []string{"Apache-2.0"})
Satisfies("Apache-1.0", []string{"Apache-2.0+"})
Satisfies("MIT AND Apache-2.0", []string{"MIT"})

ValidateLicenses

func ValidateLicenses(licenses []string) (bool, []string)

Function ValidateLicenses is used to determine if any of the provided license expressions is invalid.

parameter: licenses

Licenses is a slice of strings which must be validated as SPDX expressions.

returns

Function ValidateLicenses has 2 return values. First is bool which equals true if all of the provided licenses provided are valid, and false otherwise.

The second parameter is a slice of all invalid licenses which were provided.

Examples: ValidateLicenses returns no invalid licenses

valid, invalidLicenses := ValidateLicenses([]string{"Apache-2.0"})
assert.True(valid)
assert.Empty(invalidLicenses)

Examples: ValidateLicenses returns invalid licenses

valid, invalidLicenses := ValidateLicenses([]string{"NON-EXISTENT-LICENSE", "MIT"})
assert.False(valid)
assert.Contains(invalidLicenses, "NON-EXISTENT-LICENSE")
assert.NotContains(invalidLicenses, "MIT")

Examples: ValidateLicenses works with SPDX expressions

valid, invalidLicenses := ValidateLicenses([]string{"MIT AND APACHE-2.0"})
assert.True(valid)
assert.NotContains(invalidLicenses, "MIT AND APACHE-2.0")

ExtractLicenses

func ExtractLicenses(expression string) ([]string, error)

Function ExtractLicenses is used to extract licenses from the given expression without duplicates.

parameter: expression

expression is an SPDX expression string.

returns

Function ExtractLicenses has 2 return values. First is []string which contains all of the SPDX licenses without duplicates.

The second return value is an error which is not nil if the given expression is not a valid SPDX expression.

Example

licenses, err := ExtractLicenses("(MIT AND APACHE-2.0) OR (APACHE-2.0)")
assert.Equal(licenses, []string{"MIT", "Apache-2.0"})

Background

This package was developed to support testing whether a repository's license requirements are met by an allowed-list of licenses.

Dependencies are defined in go.mod.

Contributions and requests are welcome. Refer to the Contributing section for more information including how to set up a test environment and install dependencies.

License

This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.

Maintainers

• @elrayle
• @ajhenry

Support

You can expect the following support:

• bug fixes
• review of feature request issues
• review of questions in discussions

Contributing

Contributions in the form of bug identification Issues, bug fix PRs, and feature requests are welcome. See CONTRIBUTING.md for more information on how to get involved and set up a testing environment.

NOTE: The list of valid licenses is maintained manually. If you notice a missing license, an excellent way to contribute to the long term viability of this package is to open an Issue or PR addressing the missing license.

Acknowledgement

The process for parsing and evaluating expressions is a translation from JavaScript to Go based heavily on the JavaScript implementation defined across several repositories.

• spdx-satisfies.js
• spdx-expression-parse.js
• spdx-ranges
• spdx-compare
• spdx-license-ids
• spdx-exceptions