What is the issue ?
spdxexp.ExtractLicenses hangs indefinitely and never returns when given a valid SPDX compound license expression containing roughly 50 or more boolean AND/OR operators. During this hang, RAM grows continuously until the OS kills the process due to out-of-memory.
This issue was discovered while using sbomqs, which calls spdxexp.ExtractLicenses internally to parse license expressions. A user reported that scoring a Trivy-generated CycloneDX SBOM consumed all available RAM (16 GB free) and was killed before completing. After investigation, the root cause was traced to a single component, the kernel-headers RPM, whose license expression carries 78 AND/OR operators. Passing that expression to ExtractLicenses is sufficient to reproduce the hang on its own.
Take this license Expression:
kernelHeadersLicense = `(GPL-2.0-only WITH Linux-syscall-note OR BSD-2-Clause) AND (GPL-2.0-only WITH Linux-syscall-note OR BSD-3-Clause) AND (GPL-2.0-only WITH Linux-syscall-note OR CDDL-1.0) AND (GPL-2.0-only WITH Linux-syscall-note OR Linux-OpenIB) AND (GPL-2.0-only WITH Linux-syscall-note OR MIT) AND (GPL-2.0-or-later WITH Linux-syscall-note OR BSD-3-Clause) AND (GPL-2.0-or-later WITH Linux-syscall-note OR MIT) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-3-Clause-Clear AND GFDL-1.1-no-invariants-or-later AND GPL-1.0-or-later AND (GPL-1.0-or-later OR BSD-3-Clause) AND GPL-1.0-or-later WITH Linux-syscall-note AND GPL-2.0-only AND (GPL-2.0-only OR Apache-2.0) AND (GPL-2.0-only OR BSD-2-Clause) AND (GPL-2.0-only OR BSD-3-Clause) AND (GPL-2.0-only OR CDDL-1.0) AND (GPL-2.0-only OR GFDL-1.1-no-invariants-or-later) AND (GPL-2.0-only OR GFDL-1.2-no-invariants-only) AND GPL-2.0-only WITH Linux-syscall-note AND GPL-2.0-or-later AND (GPL-2.0-or-later OR BSD-2-Clause) AND (GPL-2.0-or-later OR BSD-3-Clause) AND (GPL-2.0-or-later OR CC-BY-4.0) AND GPL-2.0-or-later WITH GCC-exception-2.0 AND GPL-2.0-or-later WITH Linux-syscall-note AND ISC AND LGPL-2.0-or-later AND (LGPL-2.0-or-later OR BSD-2-Clause) AND LGPL-2.0-or-later WITH Linux-syscall-note AND LGPL-2.1-only AND (LGPL-2.1-only OR BSD-2-Clause) AND LGPL-2.1-only WITH Linux-syscall-note AND LGPL-2.1-or-later AND LGPL-2.1-or-later WITH Linux-syscall-note AND (Linux-OpenIB OR GPL-2.0-only) AND (Linux-OpenIB OR GPL-2.0-only OR BSD-2-Clause) AND Linux-man-pages-copyleft AND MIT AND (MIT OR GPL-2.0-only) AND (MIT OR GPL-2.0-or-later) AND (MIT OR LGPL-2.1-only) AND (MPL-1.1 OR GPL-2.0-only) AND (X11 OR GPL-2.0-only) AND (X11 OR GPL-2.0-or-later) AND Zlib AND (copyleft-next-0.3.1 OR GPL-2.0-or-later)`
What is the issue ?
spdxexp.ExtractLicenseshangs indefinitely and never returns when given a valid SPDX compound license expression containing roughly 50 or more boolean AND/OR operators. During this hang, RAM grows continuously until the OS kills the process due to out-of-memory.This issue was discovered while using sbomqs, which calls
spdxexp.ExtractLicensesinternally to parse license expressions. A user reported that scoring a Trivy-generated CycloneDX SBOM consumed all available RAM (16 GB free) and was killed before completing. After investigation, the root cause was traced to a single component, the kernel-headers RPM, whose license expression carries 78 AND/OR operators. Passing that expression to ExtractLicenses is sufficient to reproduce the hang on its own.Take this license Expression: