feat(CSAF2.1): #366 add recommende test 6.1.46 - show not listed licenses in message

Author: rainer-exxcellent

csaf_2_1/recommendedTests/recommendedTest_6_2_46.js

@@ -1,5 +1,5 @@
 import Ajv from 'ajv/dist/jtd.js'
-import { parse } from 'license-expressions'
+import { parse, validate } from 'license-expressions'
 import license_information from '../../lib/license/license_information.js'
 import translations from '../../lib/language_specific_translation/translations.js'
 import bcp47 from 'bcp47'
@@ -80,61 +80,67 @@ function isAboutCodeLicense(licenseRefToCheck) {
  * Recursively checks if a parsed license expression contains not listed licenses.
  *
  * @param {import('license-expressions').ParsedSpdxExpression} parsedExpression - The parsed license expression
- * @returns {boolean} True if the expression contains any license references, false otherwise
+ * @returns {Array<string>} all not listed licenses
  */
-function containsNotListedLicenses(parsedExpression) {
+function notListedLicenses(parsedExpression) {
+  /** @type {Array<string>} */
+  const deprecatedLicenses = []
   // If it's a LicenseRef type directly
   if ('licenseRef' in parsedExpression) {
-    return !isAboutCodeLicense(parsedExpression.licenseRef)
+    if (!isAboutCodeLicense(parsedExpression.licenseRef)) {
+      deprecatedLicenses.push(parsedExpression.licenseRef)
+    }
   }
 
   if (
     'license' in parsedExpression &&
     !SPDX_LICENSE_KEYS.has(parsedExpression.license)
   ) {
-    return true
+    deprecatedLicenses.push(parsedExpression.license)
   }
 
   if (
     'exception' in parsedExpression &&
     parsedExpression.exception &&
     !SPDX_LICENSE_KEYS.has(parsedExpression.exception)
   ) {
-    return true
+    deprecatedLicenses.push(parsedExpression.exception)
   }
 
   // If it's a conjunction, check both sides
   if ('conjunction' in parsedExpression) {
-    return (
-      containsNotListedLicenses(parsedExpression.left) ||
-      containsNotListedLicenses(parsedExpression.right)
-    )
+    deprecatedLicenses.push(...notListedLicenses(parsedExpression.left))
+    deprecatedLicenses.push(...notListedLicenses(parsedExpression.right))
   }
 
   // If it's a LicenseInfo type, it doesn't contain not listed licenses
-  return false
+  return deprecatedLicenses
 }
 
 /**
  * Checks if a license expression string contains any not listed licenses.
  *
  * @param {string} licenseToCheck - The license expression to check
- * @returns {boolean} True if the license expression contains any document references, false otherwise
+ * @returns {Array<string>} all not listed licenses
  */
-function hasNotListedLicenses(licenseToCheck) {
+function allNotListedLicenses(licenseToCheck) {
   const parseResult = parse(licenseToCheck)
-  return containsNotListedLicenses(parseResult)
+  return notListedLicenses(parseResult)
 }
 
 /**
  * check if the license_expression contains license identifiers or exceptions
  * that are not listed in the SPDX license list or Aboutcode's "ScanCode LicenseDB"
  *
  * @param {string} licenseToCheck - The license expression to check
- * @returns {boolean} True if the license has not listed licenses, false otherwise
+ * @returns {Array<string>} all not listed licenses
  */
-export function existsNotListedLicenses(licenseToCheck) {
-  return !!licenseToCheck && hasNotListedLicenses(licenseToCheck)
+export function getNotListedLicenses(licenseToCheck) {
+  if (!licenseToCheck || !validate(licenseToCheck).valid) {
+    return []
+  } else {
+    return allNotListedLicenses(licenseToCheck)
+  }
 }
 
 /**
@@ -216,7 +222,8 @@ export function recommendedTest_6_2_46(doc) {
 
   const licenseToCheck = doc.document.license_expression
   if (isLangSpecifiedAndNotEnglish(doc.document.lang)) {
-    if (existsNotListedLicenses(licenseToCheck)) {
+    const notListedLicenses = getNotListedLicenses(licenseToCheck)
+    if (notListedLicenses.length > 0) {
       const notes = doc.document.notes
       if (
         !notes ||
@@ -225,9 +232,11 @@ export function recommendedTest_6_2_46(doc) {
         ctx.warnings.push({
           instancePath: '/document/notes',
           message:
-            'The license_expression contains a license identifiers or exceptions that is not ' +
-            'listed in Aboutcode or  SPDX license list. Therefore exactly one note with ' +
-            'title "License" and category "legal_disclaimer" must exist',
+            `The license_expression contains contains the following license identifiers that ` +
+            `are nor listed in Aboutcode or SPDX license list: ` +
+            `"${notListedLicenses.join(', ')}". ` +
+            `Therefore exactly one note with ` +
+            `title "License" and category "legal_disclaimer" must exist`,
         })
       }
     }

tests/csaf_2_1/recommendedTest_6_2_46.js

@@ -1,6 +1,5 @@
 import {
-  existsNotListedLicenses,
-  getLicenseInDocumentLang,
+  getNotListedLicenses,
   recommendedTest_6_2_46,
 } from '../../csaf_2_1/recommendedTests/recommendedTest_6_2_46.js'
 import { expect } from 'chai'
@@ -11,87 +10,69 @@ describe('recommendedTest_6_2_46', function () {
     assert.equal(recommendedTest_6_2_46({}).warnings.length, 0)
   })
 
-  it('only runs on valid language', function () {
-    assert.equal(
-      recommendedTest_6_2_46({
-        document: { lang: '123', license_expression: 'MIT' },
-      }).warnings.length,
-      0
-    )
-  })
-
-  it('check get license in document lang', function () {
-    expect(getLicenseInDocumentLang({ document: { lang: 'de' } })).to.eq(
-      'Lizenz'
-    )
-    expect(getLicenseInDocumentLang({ document: { lang: 'es' } })).to.eq(
-      undefined
-    )
-    expect(getLicenseInDocumentLang({ document: {} })).to.eq(undefined)
-  })
-
   it('check license expressions', function () {
-    expect(existsNotListedLicenses('GPL-3.0+')).to.be.false
-    expect(existsNotListedLicenses('GPL-3.0-only')).to.be.false
-    expect(existsNotListedLicenses('MIT OR (Apache-2.0 AND 0BSD)')).to.be.false
-    expect(existsNotListedLicenses('Invalid-license-expression')).to.be.true
-    expect(existsNotListedLicenses('GPL-2.0 OR BSD-3-Clause')).to.be.false
-    expect(existsNotListedLicenses('LGPL-2.1 OR BSD-3-Clause AND MIT')).to.be
-      .false
-    expect(existsNotListedLicenses('(MIT AND (LGPL-2.1+ AND BSD-3-Clause))')).to
-      .be.false
+    expect(getNotListedLicenses('GPL-3.0+')).to.eql([])
+    expect(getNotListedLicenses('GPL-3.0-only')).to.be.eql([])
+    expect(getNotListedLicenses('MIT OR (Apache-2.0 AND 0BSD)')).to.be.eql([])
+    expect(getNotListedLicenses('Invalid-license-expression')).to.be.eql([])
+    expect(getNotListedLicenses('GPL-2.0 OR BSD-3-Clause')).to.be.eql([])
+    expect(getNotListedLicenses('LGPL-2.1 OR BSD-3-Clause AND MIT')).to.be.eql(
+      []
+    )
+    expect(
+      getNotListedLicenses('(MIT AND (LGPL-2.1+ AND BSD-3-Clause))')
+    ).to.eql([])
     expect(
-      existsNotListedLicenses('MIT OR Apache-2.0 WITH Autoconf-exception-2.0'),
+      getNotListedLicenses('MIT OR Apache-2.0 WITH Autoconf-exception-2.0'),
       'Exception associated with unrelated license'
-    ).to.be.true
+    ).to.eql([])
     expect(
-      existsNotListedLicenses('3dslicer-1.0'),
+      getNotListedLicenses('3dslicer-1.0'),
       'SPDX License List matching guidelines'
-    ).to.be.false
+    ).to.eql([])
 
     expect(
-      existsNotListedLicenses('LicenseRef-www.example.com-no-work-pd'),
+      getNotListedLicenses('LicenseRef-www.example.com-no-work-pd'),
       'Valid SPDX expression with License Ref'
-    ).to.be.true
+    ).to.eql(['LicenseRef-www.example.com-no-work-pd'])
 
     expect(
-      existsNotListedLicenses(
+      getNotListedLicenses(
         'LicenseRef-www.example.com-no-work-pd OR BSD-3-Clause AND MIT'
       ),
       'Valid SPDX expression with compound-expression and License Ref'
-    ).to.be.true
+    ).to.eql(['LicenseRef-www.example.com-no-work-pd'])
 
-    expect(existsNotListedLicenses('wxWindows'), 'Deprecated License').to.be
-      .false
+    expect(getNotListedLicenses('wxWindows'), 'Deprecated License').to.eql([])
 
     expect(
-      existsNotListedLicenses('DocumentRef-X:LicenseRef-Y AND MIT'),
-      'DocumentRef in License with compound-expression '
-    ).to.be.true
+      getNotListedLicenses('DocumentRef-X:LicenseRef-Y AND LicenseRef-X'),
+      'DocumentRef in License with compound-expression'
+    ).to.eql(['LicenseRef-Y', 'LicenseRef-X'])
 
     expect(
-      existsNotListedLicenses(
+      getNotListedLicenses(
         'DocumentRef-some-document-reference:LicenseRef-www.example.org-Example-CSAF-License-2.0'
       ),
       'DocumentRef in License'
-    ).to.be.true
+    ).to.eql(['LicenseRef-www.example.org-Example-CSAF-License-2.0'])
 
     expect(
-      existsNotListedLicenses(
+      getNotListedLicenses(
         'LicenseRef-www.example.org-Example-CSAF-License-3.0+'
       ),
       'LicenseRef in License with trailing +'
-    ).to.be.true
+    ).to.eql([])
     expect(
-      existsNotListedLicenses('LicenseRef-scancode-acroname-bdk'),
+      getNotListedLicenses('LicenseRef-scancode-acroname-bdk'),
       'LicenseRef in with About Code Prefix and listed license'
-    ).to.be.false
+    ).to.eql([])
 
     expect(
-      existsNotListedLicenses(
+      getNotListedLicenses(
         'LicenseRef-scancode-www.example.org-Example-CSAF-License-3.0'
       ),
       'LicenseRef in with About Code Prefix and not listed license'
-    ).to.be.true
+    ).to.eql(['LicenseRef-scancode-www.example.org-Example-CSAF-License-3.0'])
   })
 })