Open eliericha opened 1 year ago
Hello @eliericha , I will put this on my todo list - definitively something I should get under my control, but time is the limiting factor here for me, unless someone else will jump in with a PR. For this 2-weeks-period, though, I'm done with the time I can spare for this project.
Thanks a lot for your investigation and report, I highly appreciate this!
Cheers, Roman.
Hello folks,
I have a situation where
--excludeLicenses
is not excluding a license when it appears as part of a SPDX license with anAND
operator.For example, my package depends on
spdx-ranges
which has a license(MIT AND CC-BY-3.0)
.I observe the following:
npx license-checker-rseidelsohn --failOn 'CC-BY-3.0'
does not flag the dependency.npx license-checker-rseidelsohn --failOn 'MIT AND CC-BY-3.0'
does not flag the dependency.npx license-checker-rseidelsohn --failOn '(MIT AND CC-BY-3.0)'
flags the dependencyI would expect that (1) would be sufficient to detect
spdx-ranges
. Or did I misunderstand something?Similarly,
--onlyAllow
also doesn't take theAND
operator, such that:npx license-checker-rseidelsohn --includePackages spdx-ranges --onlyAllow 'MIT'
accepts the package when I would expect a rejection since spdx-ranges also involves the CC-BY-3.0 license.npx license-checker-rseidelsohn --includePackages spdx-ranges --onlyAllow 'CC-BY-3.0'
also accepts the package when I expect a rejection since spdx-ranges also involves the MIT license.npx license-checker-rseidelsohn --includePackages spdx-ranges --onlyAllow 'BSD'
correctly rejects the package. I ran this one to check that --includePackages is not somehow forcing the acceptance of the package whatever its license.So basically the tool is not considering the AND operator at all?
Thanks.