Deprecated SPDX license (GPL-2.0+)

[vargenau]

What happened:

The PackageLicenseConcluded and PackageLicenseDeclaredfor contain a deprecated license "GPL-2.0+".

PackageName: python-debian
SPDXID: SPDXRef-Package-python-python-debian-f14b246cf6138fa4
PackageVersion: 0.1.38
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0+
PackageLicenseDeclared: GPL-2.0+

What you expected to happen:

"GPL-2.0+" should be replaced by "GPL-2.0-or-later"

How to reproduce it (as minimally and precisely as possible):

syft docker:fsfe/reuse:latest -o spdx-tag-value

Anything else we need to know?:

Environment:

• Output of syft version:

Application:        syft
Version:            0.44.0
JsonSchemaVersion:  3.2.2
BuildDate:          2022-04-12T18:59:04Z
GitCommit:          b46d044d7e3afc2ee09fd5ff26635f783628126e
GitDescription:     v0.44.0
Platform:           linux/amd64
GoVersion:          go1.18
Compiler:           gc

• OS (e.g: cat /etc/os-release or similar):

PRETTY_NAME="Ubuntu 21.10"
NAME="Ubuntu"
VERSION_ID="21.10"
VERSION="21.10 (Impish Indri)"
VERSION_CODENAME=impish
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=impish

[jonasagx]

Thank you for the suggestion @vargenau I wrote an implementation for that at #1009

[vargenau]

This was only an example of deprecated license.

"GPL-1.0+" should be replaced by "GPL-1.0-or-later"
"GPL-2.0+" should be replaced by "GPL-2.0-or-later"
"GPL-3.0+" should be replaced by "GPL-3.0-or-later"

"LGPL-2.0+" should be replaced by "LGPL-2.0-or-later"
"LGPL-2.1+" should be replaced by "LGPL-2.1-or-later"
"LGPL-3.0+" should be replaced by "LGPL-3.0-or-later"

"AGPL-1.0+" should be replaced by "AGPL-1.0-or-later"
"AGPL-3.0+" should be replaced by "AGPL-3.0-or-later"

"GPL-1.0" should be replaced by "GPL-1.0-only"
"GPL-2.0" should be replaced by "GPL-2.0-only"
"GPL-3.0" should be replaced by "GPL-3.0-only"

"LGPL-2.0" should be replaced by "LGPL-2.0-only"
"LGPL-2.1" should be replaced by "LGPL-2.1-only"
"LGPL-3.0" should be replaced by "LGPL-3.0-only"

"AGPL-1.0" should be replaced by "AGPL-1.0-only"
"AGPL-3.0" should be replaced by "AGPL-3.0-only"

[vargenau]

The complete list of deprecated licenses can be found at the bottom of the SPDX licenses list page:
https://spdx.org/licenses/

[luhring]

I'm wondering if these replacements can be calculated automatically without us maintaining our own list of replacements. 🤔 (cc: @jonasagx)

From reading through https://spdx.org/licenses/, it really does seem like when this happens, the only fields in the license object that change are a) the ID, and b) fields derived from the ID. In fact, this page even describes these as "license ID deprecations", specifically.

Looking at GPL v3.0 for example, here's the deprecated license object:

{
  "reference": "https://spdx.org/licenses/GPL-3.0.html",
  "isDeprecatedLicenseId": true,
  "detailsUrl": "https://spdx.org/licenses/GPL-3.0.json",
  "referenceNumber": 110,
  "name": "GNU General Public License v3.0 only",
  "licenseId": "GPL-3.0",
  "seeAlso": [
    "https://www.gnu.org/licenses/gpl-3.0-standalone.html",
    "https://opensource.org/licenses/GPL-3.0"
  ],
  "isOsiApproved": true,
  "isFsfLibre": true
}

... and here's the updated license:

{
  "reference": "https://spdx.org/licenses/GPL-3.0-only.html",
  "isDeprecatedLicenseId": false,
  "detailsUrl": "https://spdx.org/licenses/GPL-3.0-only.json",
  "referenceNumber": 27,
  "name": "GNU General Public License v3.0 only",           // <-- same value
  "licenseId": "GPL-3.0-only",
  "seeAlso": [
    "https://www.gnu.org/licenses/gpl-3.0-standalone.html", // <-- same value
    "https://opensource.org/licenses/GPL-3.0"               // <-- same value
  ],
  "isOsiApproved": true,                                    // <-- same value
  "isFsfLibre": true                                        // <-- same value
}

Could it make sense to find a deprecated license's corresponding updated license via a match on one or all of these "same value" fields?

Normally I'd try to stay away from using non "ID" fields when finding matches, but this seems like a unique case where we cannot rely on ID fields (by definition), yet the supplier of the data is committing to not changing the other fields' values.

[vargenau]

I have hacked the code as follows, but I do not know if it is the right way to do it:

--- a/internal/spdxlicense/generate/generate_license_list.go
+++ b/internal/spdxlicense/generate/generate_license_list.go
@@ -119,7 +119,14 @@ func processSPDXLicense(result LicenseList) map[string]string {
                if _, exists := licenseIDs[cleanID]; exists {
                        log.Fatalf("duplicate license ID found: %q", cleanID)
                }
-               licenseIDs[cleanID] = l.ID
+               r, _ := regexp.Compile("GPL-[0-9].[0-9]$")
+               if r.MatchString(l.ID) {
+                       licenseIDs[cleanID] = l.ID + "-only"
+               } else if l.ID[len(l.ID)-1:] == "+" {
+                       licenseIDs[cleanID] = l.ID[:len(l.ID)-1] + "-or-later"
+               } else {
+                       licenseIDs[cleanID] = l.ID
+               }
        }

[jonasagx]

I appreciate the extra info and descriptions @vargenau. I see a couple different heuristics on how to re-map deprecated license:

1. license IDs ending in integers get -only suffix
2. license IDs ending with + get -or-later suffix
3. deprecated licenses can be re-mapped by another license ID when the former and latter share other meta fields (such as name, seeAlso). Summarizing @luhring's suggestion

Do 1 & 2 only apply to L/GPL licenses?
A: yes:

"lgpl-2.0+",
"lgpl-2.1+",
"lgpl-3.0+",
"gpl-2.0+",
"gpl-3.0+",
"gpl-1.0+",

Dan's strategy is general (it covers case 1 & 2), works better long term, and for other licenses, but it requires more refactoring of the code generation part. So I am moving on with it.

[vargenau]

Any progress on fixing the issue?