--failOn and --onlyAllow do not consider SPDX AND operator

[eliericha]

Hello folks,

I have a situation where --excludeLicenses is not excluding a license when it appears as part of a SPDX license with an AND operator.

For example, my package depends on spdx-ranges which has a license (MIT AND CC-BY-3.0).

I observe the following:

1. npx license-checker-rseidelsohn --failOn 'CC-BY-3.0' does not flag the dependency.
2. npx license-checker-rseidelsohn --failOn 'MIT AND CC-BY-3.0' does not flag the dependency.
3. npx license-checker-rseidelsohn --failOn '(MIT AND CC-BY-3.0)' flags the dependency

I would expect that (1) would be sufficient to detect spdx-ranges. Or did I misunderstand something?

Similarly, --onlyAllow also doesn't take the AND operator, such that:

1. npx license-checker-rseidelsohn --includePackages spdx-ranges --onlyAllow 'MIT' accepts the package when I would expect a rejection since spdx-ranges also involves the CC-BY-3.0 license.
2. npx license-checker-rseidelsohn --includePackages spdx-ranges --onlyAllow 'CC-BY-3.0' also accepts the package when I expect a rejection since spdx-ranges also involves the MIT license.
3. npx license-checker-rseidelsohn --includePackages spdx-ranges --onlyAllow 'BSD' correctly rejects the package. I ran this one to check that --includePackages is not somehow forcing the acceptance of the package whatever its license.

So basically the tool is not considering the AND operator at all?

Thanks.

[RSeidelsohn]

Hello @eliericha , I will put this on my todo list - definitively something I should get under my control, but time is the limiting factor here for me, unless someone else will jump in with a PR. For this 2-weeks-period, though, I'm done with the time I can spare for this project.

Thanks a lot for your investigation and report, I highly appreciate this!

Cheers, Roman.