Packages being flagged incorrectly with invalid SPDX license definitions

[shubhashish-certa]

Hi, We have 4 dependency packages being upgraded which are using extensive Dual licensing. I have recently updated my config file to accommodate the flagged license identifiers as well. Still we are getting "Invalid SPDX license" for all of them.

Package	Version	License	Issue Type
jmespath	0.16.0	Apache-2.0 AND MIT	Invalid SPDX License
pako	1.0.11	MIT AND Zlib	Invalid SPDX License
sprintf-js	1.0.3	BSD-3-Clause AND BSD-3-Clause-Clear	Invalid SPDX License
stream-buffers	3.0.3	Unlicense	Invalid SPDX License

My dependency review workflow looks like this

- name: 'Dependency Review'
  uses: actions/dependency-review-action@v3
  with:
    config-file: 'security-config/dependency-review-config.yml'

My config file has these licenses already allowed:

Allowed Licenses: 
- BSD-2-Clause
- BSD-3-Clause
- MIT
- Apache-2.0
- PSF-2.0
- ISC
- HPND
- CC0-1.0
- 0BSD
- PSF-2.0
- Python-2.0
- WTFPL
- LGPL-3.0
- Apache-2.0 and MIT
- MIT AND Zlib
- BSD-3-Clause AND BSD-3-Clause-Clear
- Unlicense

Additionally, I also checked the license identifiers using license-expression validator but it found no issues with any of the identifiers.

Please provide a prompt reason for the failure as the dependency review workflow is not helping us in resolving this at all.

[shubhashish-certa]

FYI : @febuiles @jonjanego

[jonjanego]

Please start with using a current release. The latest is 4.3.4 and you are using v3 which was last updated in January.

We have made some recent improvements to license parsing which might help.

[shubhashish-certa]

@jonjanego I tried modifying my action to the current release 4.3.4. And now the Invalid SPDX License issue is resolved. However, now I am getting Incompatible License for all the dependencies in my repo, even the basic ones

540 package(s) with incompatible licenses

Package	Version	License	Issue Type
semver	5.7.1	ISC	Incompatible License
qs	6.9.3	BSD-3-Clause	Incompatible License
braces	3.0.2	MIT	Incompatible License
cookiejar	2.1.3	MIT	Incompatible License

And so on

[shubhashish-certa]

FYI: @jonjanego Just wanted to send in so that this is still on track. Upgrading the version to the latest solved the issue of license parsing as you mentioned. However, all the licenses including the common ones like MIT and Apache-2.0 (among the other mentioned in the thread) are rendered as Incompatible License. As a note, these licenses used to work with the older version.

[jtomkiew-mng]

@shubhashish-certa

Version 4.3.4 does not work with invalid license names in the config and since that version, SPDX expression licenses are considered invalid (see: #792).

In short, remove all SPDX expressions from the config, like this:

Allowed Licenses: 
- BSD-2-Clause
- BSD-3-Clause
- MIT
- Apache-2.0
- PSF-2.0
- ISC
- HPND
- CC0-1.0
- 0BSD
- PSF-2.0
- Python-2.0
- WTFPL
- LGPL-3.0
- Unlicense

Note that if you have packages that use SPDX expressions, this will report them as invalid, as support is not yet implemented (see: #263). In that case you need to downgrade to version 4.3.3 where SPDX expressions are handled as exact strings (like you had in your original config).

[shubhashish-certa]

That explains it @jtomkiew-mng thanks!!, both the methods worked, but currently going ahead with downgrading to v4.3.3, since we have multiple dependencies that are dual-licensed.