Handle complex licenses (e.g. X AND Y)

There are many packages that are dual-licensed, offering a choice
of licenses (e.g. `MIT OR Apache-2.0`). There are some that include
code from multiple sources and require multiple licenses
(e.g. `MIT AND Apache-2.0`). There are also complex combinations that
can exist for a variety of reasons, such as
`MIT AND (Apache-2.0 OR BSD-3-Clause)`.

The most straightforward approach to handle these is to have an
allow list. As long as the licenses on the allow list can satisfy
the license expression of the package in question, it should pass.

To implement this, I the newest release of spdx-satisfies
which changed the interface to be exactly as described
`satisfies(license, allowList)` (see
jslicense/spdx-satisfies.js#17).

Fixes #263

Author: dangoor

__tests__/licenses.test.ts

@@ -74,6 +74,32 @@ const pipChange: Change = {
   ]
 }
 
+const complexLicenseChange: Change = {
+  change_type: 'added',
+  manifest: 'requirements.txt',
+  ecosystem: 'pip',
+  name: 'package-1',
+  version: '1.1.1',
+  package_url: 'pkg:pypi/[email protected]',
+  license: 'MIT AND Apache-2.0',
+  source_repository_url: 'github.com/some-repo',
+  scope: 'runtime',
+  vulnerabilities: [
+    {
+      severity: 'moderate',
+      advisory_ghsa_id: 'second-random_string',
+      advisory_summary: 'not so dangerous',
+      advisory_url: 'github.com/future-funk'
+    },
+    {
+      severity: 'low',
+      advisory_ghsa_id: 'third-random_string',
+      advisory_summary: 'dont page me',
+      advisory_url: 'github.com/future-funk'
+    }
+  ]
+}
+
 jest.mock('@actions/core')
 
 const mockOctokit = {
@@ -129,6 +155,30 @@ test('it adds license inside the deny list to forbidden changes', async () => {
   expect(forbidden.length).toEqual(1)
 })
 
+test('it handles allowed complex licenses', async () => {
+  const changes: Changes = [
+    complexLicenseChange // MIT AND Apache-2.0 license
+  ]
+
+  const {forbidden} = await getInvalidLicenseChanges(changes, {
+    allow: ['MIT', 'Apache-2.0']
+  })
+
+  expect(forbidden.length).toEqual(0)
+})
+
+test('it handles complex licenses not all on the allow list', async () => {
+  const changes: Changes = [
+    complexLicenseChange // MIT AND Apache-2.0 license
+  ]
+
+  const {forbidden} = await getInvalidLicenseChanges(changes, {
+    allow: ['MIT']
+  })
+
+  expect(forbidden.length).toEqual(1)
+})
+
 test('it does not add license outside the allow list to forbidden changes if it is in removed changes', async () => {
   const changes: Changes = [
     {...npmChange, change_type: 'removed'},

__tests__/spdx.test.ts

@@ -145,77 +145,77 @@ describe('satisfies', () => {
   const units = [
     {
       candidate: 'MIT',
-      constraint: 'MIT',
+      allowList: ['MIT'],
       expected: true
     },
     {
       candidate: 'Apache-2.0',
-      constraint: 'MIT',
+      allowList: ['MIT'],
       expected: false
     },
     {
       candidate: 'MIT OR Apache-2.0',
-      constraint: 'MIT',
+      allowList: ['MIT'],
       expected: true
     },
     {
       candidate: 'MIT OR Apache-2.0',
-      constraint: 'Apache-2.0',
+      allowList: ['Apache-2.0'],
       expected: true
     },
     {
       candidate: 'MIT OR Apache-2.0',
-      constraint: 'BSD-3-Clause',
+      allowList: ['BSD-3-Clause'],
       expected: false
     },
     {
       candidate: 'MIT OR Apache-2.0',
-      constraint: 'Apache-2.0 OR BSD-3-Clause',
+      allowList: ['Apache-2.0', 'BSD-3-Clause'],
       expected: true
     },
     {
       candidate: 'MIT AND Apache-2.0',
-      constraint: 'MIT AND Apache-2.0',
+      allowList: ['MIT', 'Apache-2.0'],
       expected: true
     },
     {
       candidate: 'MIT OR Apache-2.0',
-      constraint: 'MIT AND Apache-2.0',
-      expected: false
+      allowList: ['MIT', 'Apache-2.0'],
+      expected: true
     },
     {
       candidate: 'ISC OR (MIT AND Apache-2.0)',
-      constraint: 'MIT AND Apache-2.0',
+      allowList: ['MIT', 'Apache-2.0'],
       expected: true
     },
 
     // missing params, case sensitivity, syntax problems,
     // or unknown licenses will return 'false'
     {
       candidate: 'MIT',
-      constraint: 'MiT',
+      allowList: ['MiT'],
       expected: false
     },
     {
       candidate: 'MIT AND (ISC OR',
-      constraint: 'MIT',
+      allowList: ['MIT'],
       expected: false
     },
     {
       candidate: 'MIT OR ISC OR Apache-2.0',
-      constraint: '',
+      allowList: [],
       expected: false
     },
     {
       candidate: '',
-      constraint: '(BSD-3-Clause AND ISC) OR MIT',
+      allowList: ['BSD-3-Clause', 'ISC', 'MIT'],
       expected: false
     }
   ]
 
   for (const unit of units) {
-    const got: boolean = spdx.satisfies(unit.candidate, unit.constraint)
-    test(`should return ${unit.expected} for ("${unit.candidate}", "${unit.constraint}")`, () => {
+    const got: boolean = spdx.satisfies(unit.candidate, unit.allowList)
+    test(`should return ${unit.expected} for ("${unit.candidate}", "${unit.allowList}")`, () => {
       expect(got).toBe(unit.expected)
     })
   }