feat(CSAF2.1): #356 add mandatory test 6.1.55 - show not listed licenses in message

Author: rainer-exxcellent

csaf_2_1/mandatoryTests/mandatoryTest_6_1_55.js

@@ -49,7 +49,7 @@ const ABOUT_CODE_LICENSE_REF_PREFIX = 'LicenseRef-scancode-'
 
 const ABOUT_CODE_LICENSE_KEYS = new Set(
   license_information.licenses
-    .filter((license) => !license.deprecated && license.source === 'aboutCode')
+    .filter((license) => license.source === 'aboutCode')
     .map((license) => license.license_key)
 )
 
@@ -73,49 +73,57 @@ function isAboutCodeLicense(licenseRefToCheck) {
  * Recursively checks if a parsed license expression contains not listed licenses.
  *
  * @param {import('license-expressions').ParsedSpdxExpression} parsedExpression - The parsed license expression
- * @returns {boolean} True if the expression contains any license references, false otherwise
+ * @returns {Array<string>} all not listed licenses
  */
-function containsNotListedLicenses(parsedExpression) {
+function notListedLicenses(parsedExpression) {
+  /** @type {Array<string>} */
+  const deprecatedLicenses = []
   // If it's a LicenseRef type directly
   if ('licenseRef' in parsedExpression) {
-    return !isAboutCodeLicense(parsedExpression.licenseRef)
+    if (!isAboutCodeLicense(parsedExpression.licenseRef)) {
+      deprecatedLicenses.push(parsedExpression.licenseRef)
+    }
   }
 
   // If it's a conjunction, check both sides
   if ('conjunction' in parsedExpression) {
-    return (
-      containsNotListedLicenses(parsedExpression.left) ||
-      containsNotListedLicenses(parsedExpression.right)
-    )
+    deprecatedLicenses.push(...notListedLicenses(parsedExpression.left))
+    deprecatedLicenses.push(...notListedLicenses(parsedExpression.right))
   }
 
-  // If it's a LicenseInfo type, it doesn't contain not listed licenses
-  return false
+  // If it's a valid LicenseInfo type, it doesn't contain not listed license
+  // Before we call this function we check that the whole expression is valid.
+  // The expression is not valid, when it contains licences that are not listend
+  // in the SPDX License List. (We check this in test 6.1.54)
+
+  return deprecatedLicenses
 }
 
 /**
- * Checks if a license expression string contains any document references.
+ * Checks if a license expression string contains any not listed references.
  *
  * @param {string} licenseToCheck - The license expression to check
- * @returns {boolean} True if the license expression contains any document references, false otherwise
+ * @returns {Array<string>} True if the license expression contains any document references, false otherwise
  */
-function hasNotListedLicenses(licenseToCheck) {
+function allNotListedLicenses(licenseToCheck) {
   const parseResult = parse(licenseToCheck)
-  return containsNotListedLicenses(parseResult)
+  return notListedLicenses(parseResult)
 }
 
 /**
  * check if the license_expression contains license identifiers or exceptions
  * that are not listed in the SPDX license list or Aboutcode's "ScanCode LicenseDB"
  *
  * @param {string} licenseToCheck - The license expression to check
- * @returns {boolean} True if the license has not listed licenses, false otherwise
+ * @returns {Array<string>} True if the license has not listed licenses, false otherwise
  */
-export function existsNotListedLicenses(licenseToCheck) {
-  return (
-    !licenseToCheck ||
-    (validate(licenseToCheck).valid && hasNotListedLicenses(licenseToCheck))
-  )
+export function getNotListedLicenses(licenseToCheck) {
+  // Validate ensures that no invalid SPDX licenses are present
+  if (!licenseToCheck || !validate(licenseToCheck).valid) {
+    return []
+  } else {
+    return allNotListedLicenses(licenseToCheck)
+  }
 }
 
 /**
@@ -163,16 +171,19 @@ export function mandatoryTest_6_1_55(doc) {
 
   const licenseToCheck = doc.document.license_expression
   if (isLangEnglishOrUnspecified(doc.document.lang)) {
-    if (existsNotListedLicenses(licenseToCheck)) {
+    const notListedLicenses = getNotListedLicenses(licenseToCheck)
+    if (notListedLicenses.length > 0) {
       const notes = doc.document.notes
       if (!notes || !containsOneLegalNote(notes)) {
         ctx.isValid = false
         ctx.errors.push({
           instancePath: '/document/notes',
           message:
-            `The license_expression contains a license identifiers or exceptions that is not ` +
-            `listed in Aboutcode's or  SPDX license list. Therefore exactly one note with ` +
-            ` title 'License' and category 'legal_disclaimer' must exist`,
+            `The license_expression contains the following license identifiers that ` +
+            `are nor listed in Aboutcode's or  SPDX license list: ` +
+            `"${notListedLicenses.join()}". ` +
+            `Therefore exactly one note with ` +
+            `title "License" and category "legal_disclaimer" must exist`,
         })
       }
     }

tests/csaf_2_1/mandatoryTest_6_1_55.js

@@ -1,5 +1,5 @@
 import {
-  existsNotListedLicenses,
+  getNotListedLicenses,
   mandatoryTest_6_1_55,
 } from '../../csaf_2_1/mandatoryTests/mandatoryTest_6_1_55.js'
 import { expect } from 'chai'
@@ -10,67 +10,68 @@ describe('mandatoryTest_6_1_55', function () {
   })
 
   it('check license expressions', function () {
-    expect(existsNotListedLicenses('GPL-3.0+')).to.be.false
-    expect(existsNotListedLicenses('GPL-3.0-only')).to.be.false
-    expect(existsNotListedLicenses('MIT OR (Apache-2.0 AND 0BSD)')).to.be.false
-    expect(existsNotListedLicenses('Invalid-license-expression')).to.be.false
-    expect(existsNotListedLicenses('GPL-2.0 OR BSD-3-Clause')).to.be.false
-    expect(existsNotListedLicenses('LGPL-2.1 OR BSD-3-Clause AND MIT')).to.be
-      .false
-    expect(existsNotListedLicenses('(MIT AND (LGPL-2.1+ AND BSD-3-Clause))')).to
-      .be.false
+    expect(getNotListedLicenses('GPL-3.0+')).to.eql([])
+    expect(getNotListedLicenses('GPL-3.0-only')).to.be.eql([])
+    expect(getNotListedLicenses('MIT OR (Apache-2.0 AND 0BSD)')).to.be.eql([])
+    expect(getNotListedLicenses('Invalid-license-expression')).to.be.eql([])
+    expect(getNotListedLicenses('GPL-2.0 OR BSD-3-Clause')).to.be.eql([])
+    expect(getNotListedLicenses('LGPL-2.1 OR BSD-3-Clause AND MIT')).to.be.eql(
+      []
+    )
     expect(
-      existsNotListedLicenses('MIT OR Apache-2.0 WITH Autoconf-exception-2.0'),
+      getNotListedLicenses('(MIT AND (LGPL-2.1+ AND BSD-3-Clause))')
+    ).to.eql([])
+    expect(
+      getNotListedLicenses('MIT OR Apache-2.0 WITH Autoconf-exception-2.0'),
       'Exception associated with unrelated license'
-    ).to.be.false
+    ).to.eql([])
     expect(
-      existsNotListedLicenses('3dslicer-1.0'),
+      getNotListedLicenses('3dslicer-1.0'),
       'SPDX License List matching guidelines'
-    ).to.be.false
+    ).to.eql([])
 
     expect(
-      existsNotListedLicenses('LicenseRef-www.example.com-no-work-pd'),
+      getNotListedLicenses('LicenseRef-www.example.com-no-work-pd'),
       'Valid SPDX expression with License Ref'
-    ).to.be.true
+    ).to.eql(['LicenseRef-www.example.com-no-work-pd'])
 
     expect(
-      existsNotListedLicenses(
+      getNotListedLicenses(
         'LicenseRef-www.example.com-no-work-pd OR BSD-3-Clause AND MIT'
       ),
       'Valid SPDX expression with compound-expression and License Ref'
-    ).to.be.true
+    ).to.eql(['LicenseRef-www.example.com-no-work-pd'])
 
-    expect(existsNotListedLicenses('wxWindows'), 'Deprecated License').to.be
-      .false
+    expect(getNotListedLicenses('wxWindows'), 'Deprecated License').to.eql([])
 
     expect(
-      existsNotListedLicenses('DocumentRef-X:LicenseRef-Y AND MIT'),
-      'DocumentRef in License with compound-expression '
-    ).to.be.true
+      getNotListedLicenses('DocumentRef-X:LicenseRef-Y AND LicenseRef-X'),
+      'DocumentRef in License with compound-expression'
+    ).to.eql(['LicenseRef-Y', 'LicenseRef-X'])
 
     expect(
-      existsNotListedLicenses(
+      getNotListedLicenses(
         'DocumentRef-some-document-reference:LicenseRef-www.example.org-Example-CSAF-License-2.0'
       ),
       'DocumentRef in License'
-    ).to.be.true
+    ).to.eql(['LicenseRef-www.example.org-Example-CSAF-License-2.0'])
 
     expect(
-      existsNotListedLicenses(
+      getNotListedLicenses(
         'LicenseRef-www.example.org-Example-CSAF-License-3.0+'
       ),
       'LicenseRef in License with trailing +'
-    ).to.be.false
+    ).to.eql([])
     expect(
-      existsNotListedLicenses('LicenseRef-scancode-acroname-bdk'),
+      getNotListedLicenses('LicenseRef-scancode-acroname-bdk'),
       'LicenseRef in with About Code Prefix and listed license'
-    ).to.be.false
+    ).to.eql([])
 
     expect(
-      existsNotListedLicenses(
+      getNotListedLicenses(
         'LicenseRef-scancode-www.example.org-Example-CSAF-License-3.0'
       ),
       'LicenseRef in with About Code Prefix and not listed license'
-    ).to.be.true
+    ).to.eql(['LicenseRef-scancode-www.example.org-Example-CSAF-License-3.0'])
   })
 })