ScanCode SPDX license key contains invalid characters #2813
Labels
Comments
fviernau
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 25, 2022
ScanCode may return SPDX license containing underscores characters which is not allwed, see [1]. This results in ORT's scanner crashing due to an SpdxException when it tries to parse the SPDX license key. This issue has been first occured in 2020 and fixed by [2]. It got re-introduced recently by [3]. Fix the issue based on the idea of the orignal fix [2]. The touched function becomes less efficient. Delierately don't refactor for efficiency because this fix can be reverted as soon as [3] is fixed. [1] aboutcode-org/scancode-toolkit#2813 [2] fb0370f [3] #4523 Signed-off-by: Frank Viernau <[email protected]>
fviernau
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 25, 2022
ScanCode may return SPDX license keys containing underscores characters which is not allwed, see [1]. This results in ORT's scanner crashing due to an SpdxException when it tries to parse the SPDX license key. This issue has been first occured in 2020 and fixed by [2]. It got re-introduced recently by [3]. Fix the issue based on the idea of the orignal fix [2]. The touched function becomes less efficient. Delierately don't refactor for efficiency because this fix can be reverted as soon as [3] is fixed. [1] aboutcode-org/scancode-toolkit#2813 [2] fb0370f [3] #4523 Signed-off-by: Frank Viernau <[email protected]>
fviernau
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 25, 2022
ScanCode may return SPDX license keys containing underscores characters which is not allwed, see [1]. This results in ORT's scanner crashing due to an SpdxException when it tries to parse the SPDX license key. This issue has been first occured in 2020 and fixed by [2]. It got re-introduced recently by [3]. Fix the issue based on the idea of the orignal fix [2]. The touched function becomes less efficient. Delierately don't refactor for efficiency because this fix can be reverted as soon as [3] is fixed. [1] aboutcode-org/scancode-toolkit#2813 [2] fb0370f [3] #4523 Signed-off-by: Frank Viernau <[email protected]>
fviernau
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 25, 2022
ScanCode may return SPDX license keys containing underscores characters which is not allwed, see [1]. This results in ORT's scanner crashing due to an SpdxException when it tries to parse the SPDX license key. This issue has first occured in 2020 and been fixed by [2]. It got re-introduced recently by [3]. Fix the issue based on the idea of the orignal fix [2]. The touched function becomes less efficient. Delierately don't refactor for efficiency because this fix can be reverted as soon as [3] is fixed. [1] aboutcode-org/scancode-toolkit#2813 [2] fb0370f [3] #4523 Signed-off-by: Frank Viernau <[email protected]>
fviernau
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 25, 2022
ScanCode may return SPDX license keys containing underscores characters which is not allwed, see [1]. This results in ORT's scanner crashing due to an SpdxException when it tries to parse the SPDX license key. This issue has first occured in 2020 and been fixed by [2]. It got re-introduced recently by [3]. Fix the issue based on the idea of the orignal fix [2]. The touched function becomes a bit less efficient which is not an issue for the current callers / use cases. However, a consequtive look-up of many license texts would probably more efficient if the files in the directories were listed only once. [1] aboutcode-org/scancode-toolkit#2813 [2] fb0370f [3] #4523 Signed-off-by: Frank Viernau <[email protected]>
fviernau
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 25, 2022
ScanCode has one SPDX license key containing an underscore characters which is not allwed, see [1]. This results in ORT's scanner crashing due to an SpdxException when it tries to parse the SPDX license key. This issue has first occured in 2020 and been fixed by [2]. It got re-introduced recently by [3]. Deliberatly don't fix the general problem with underscores in `getLicenseTextFile()` in favor of a license ID specific work around, because this can be implemented efficiently without doing a refactoring first. [1] aboutcode-org/scancode-toolkit#2813 [2] fb0370f [3] #4523 Signed-off-by: Frank Viernau <[email protected]>
fviernau
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 25, 2022
ScanCode has one SPDX license key containing an underscore characters which is not allwed, see [1]. This results in ORT's scanner crashing due to an SpdxException when it tries to parse the SPDX license key. This issue has first occured in 2020 and been fixed by [2]. It got re-introduced recently by [3]. Deliberatly don't fix the general problem with underscores in `getLicenseTextFile()` in favor of a license ID specific work around, because this can be implemented efficiently without doing a refactoring first. [1] aboutcode-org/scancode-toolkit#2813 [2] fb0370f [3] #4523 Signed-off-by: Frank Viernau <[email protected]>
fviernau
added a commit
to oss-review-toolkit/ort
that referenced
this issue
Jan 25, 2022
ScanCode has one SPDX license key containing an underscore characters which is not allwed, see [1]. This results in ORT's scanner crashing due to an SpdxException when it tries to parse the SPDX license key. This issue has first occured in 2020 and been fixed by [2]. It got re-introduced recently by [3]. Deliberatly don't fix the general problem with underscores in `getLicenseTextFile()` in favor of a license ID specific work around, because this can be implemented efficiently without doing a refactoring first. [1] aboutcode-org/scancode-toolkit#2813 [2] fb0370f [3] #4523 Signed-off-by: Frank Viernau <[email protected]>
|
@fviernau Good catch! @DennisClark IMHO we should no longer use underscore in license keys and validate this. |
|
@pombredanne I can fix x11-xconsortium_veillard in my license list. will do it soon |
pombredanne
added a commit
that referenced
this issue
Feb 8, 2022
x11-xconsortium_veillard was using an underscore which is not SPDX friendly and is now deprecated. x11-xconsortium-veillard is the new key Reference: #2813 Reported-by: Frank Viernau <[email protected]> Signed-off-by: Philippe Ombredanne <[email protected]>
|
Has this been actually fixed? |
|
@sschuberth yes, in 4ddc974 and in all versions since v31.0.0 ... and we have a check to ensure this does not happen again |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The SPDX license key
LicenseRef-scancode-x11-xconsortium_veillardcontains an_which is not allowed according to [1][2], which says e.g. [3][4].[1] https://github.com/spdx/spdx-spec/blob/development/v2.2.2/chapters/SPDX-license-expressions.md#d1-overview-
[2] https://github.com/spdx/spdx-spec/blob/development/v2.2.2/chapters/SPDX-license-expressions.md#d3-simple-license-expressions-
[3]
idstring = 1*(ALPHA / DIGIT / "-" / "." )[4] An SPDX user defined license reference: ["DocumentRef-"1*(idstring)":"]"LicenseRef-"1*(idstring)]
The text was updated successfully, but these errors were encountered: