Golang implementation of a checker for determining if a set of SPDX IDs satisfies an SPDX Expression.
There are several ways to include a go package. To download and install, you can use go get. The command for that is:
go get github.com/github/go-spdx@latest- spdxexp - Expression package validates licenses and determines if a license expression is satisfied by a list of licenses. Validity of a license is determined by the SPDX license list.
NOTE: The public API is initially limited to the Satisfies and ValidateLicenses functions. If there is interest in the output of the parser or license checking being public, please submit an issue for consideration.
Satisfies(testExpression string, allowedList []string, options *Options)Parameter: testExpression
testExpression is an SPDX expression describing the licensing terms of source code or a binary file.
Example expressions that can be used for testExpression:
"MIT"
"MIT AND Apache-2.0"
"MIT OR Apache-2.0"
"MIT AND (Apache-1.0 OR Apache-2.0)"
"Apache-1.0+"
"DocumentRef-spdx-tool-1.2:LicenseRef-MIT-Style-2"
"GPL-2.0 WITH Bison-exception-2.2"See satisfies_test.go for more example expressions.
Parameter: allowedList
allowedList is an array of single licenses describing what licenses can be used to satisfy the testExpression.
Example allowedList:
[]string{"MIT"}
[]string{"MIT", "Apache-2.0"}
[]string{"MIT", "Apache-2.0", "ISC", "GPL-2.0"}
[]string{"MIT", "Apache-1.0+"}
[]string{"GPL-2.0-or-later"}N.B. If at least one of expressions from allowedList is not a valid SPDX expression, the call
to Satisfies will produce an error. Use ValidateLicenses function
to first check if all of the expressions from allowedList are valid.
Satisfies("MIT", []string{"MIT"})
Satisfies("MIT", []string{"MIT", "Apache-2.0"})
Satisfies("Apache-2.0", []string{"Apache-1.0+"})
Satisfies("MIT OR Apache-2.0", []string{"Apache-2.0"})
Satisfies("MIT OR Apache-2.0", []string{"MIT", "Apache-2.0"})
Satisfies("MIT AND Apache-2.0", []string{"MIT", "Apache-2.0"})
Satisfies("MIT AND Apache-2.0", []string{"MIT", "Apache-2.0", "GPL-2.0"})Satisfies("MIT", []string{"Apache-2.0"})
Satisfies("Apache-1.0", []string{"Apache-2.0+"})
Satisfies("MIT AND Apache-2.0", []string{"MIT"})func ValidateLicenses(licenses []string) (bool, []string)Function ValidateLicenses is used to determine if any of the provided license expressions is
invalid.
parameter: licenses
Licenses is a slice of strings which must be validated as SPDX expressions.
returns
Function ValidateLicenses has 2 return values. First is bool which equals true if all of
the provided licenses provided are valid, and false otherwise.
The second parameter is a slice of all invalid licenses which were provided.
valid, invalidLicenses := ValidateLicenses([]string{"Apache-2.0"})
assert.True(valid)
assert.Empty(invalidLicenses)valid, invalidLicenses := ValidateLicenses([]string{"NON-EXISTENT-LICENSE", "MIT"})
assert.False(valid)
assert.Contains(invalidLicenses, "NON-EXISTENT-LICENSE")
assert.NotContains(invalidLicenses, "MIT")valid, invalidLicenses := ValidateLicenses([]string{"MIT AND APACHE-2.0"})
assert.True(valid)
assert.NotContains(invalidLicenses, "MIT AND APACHE-2.0")func ExtractLicenses(expression string) ([]string, error)Function ExtractLicenses is used to extract licenses from the given expression without duplicates.
parameter: expression
expression is an SPDX expression string.
returns
Function ExtractLicenses has 2 return values. First is []string which contains all of the SPDX licenses without duplicates.
The second return value is an error which is not nil if the given expression is not a valid SPDX expression.
licenses, err := ExtractLicenses("(MIT AND APACHE-2.0) OR (APACHE-2.0)")
assert.Equal(licenses, []string{"MIT", "Apache-2.0"})This package was developed to support testing whether a repository's license requirements are met by an allowed-list of licenses.
Dependencies are defined in go.mod.
Contributions and requests are welcome. Refer to the Contributing section for more information including how to set up a test environment and install dependencies.
This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.
- @elrayle
- @ajhenry
You can expect the following support:
- bug fixes
- review of feature request issues
- review of questions in discussions
Contributions in the form of bug identification Issues, bug fix PRs, and feature requests are welcome. See CONTRIBUTING.md for more information on how to get involved and set up a testing environment.
NOTE: The list of valid licenses is maintained manually. If you notice a missing license, an excellent way to contribute to the long term viability of this package is to open an Issue or PR addressing the missing license.
The process for parsing and evaluating expressions is a translation from JavaScript to Go based heavily on the JavaScript implementation defined across several repositories.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent