MIT is an invalid SPDX license identifier?

[recurly-bearley]

I have dependency-review setup to deny a whole slew of licenses:

fail-on-severity: high
comment-summary-in-pr: never
warn-only: true
license-check: true
deny-licenses: 
  - Abstyles
  - AdaCore-doc
  - Adobe-2006
  - Adobe-Glyph
  - Adobe-Utopia
  -  ......

It's failing to recognize MIT as a valid SPDX license identifier:

Warning: The validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses: .github/workflows/dependency-check.yml » actions/checkout@4.*.* – License: MIT Error: Dependency review could not detect the validity of all licenses.

This doesn't seem right. MIT is very common, not on the deny list, on the complete list and this is a github action it's failing on. Additionally, why is it failing the job for this?

[jonjanego]

Could you please share the full deny list, as well as the dependency that it's failing on?

[recurly-bearley]

`fail-on-severity: high comment-summary-in-pr: never warn-only: true license-check: true deny-licenses:

• Abstyles
• AdaCore-doc
• Adobe-2006
• Adobe-Glyph
• Adobe-Utopia
• ADSL
• Afmparse
• AGPL-1.0-only
• AGPL-1.0-or-later
• Aladdin
• AMDPLPA
• AML
• AMPAS
• ANTLR-PD-fallback
• ANTLR-PD
• APAFML
• App-s2p
• Arphic-1999
• ASWF-Digital-Assets-1.0
• ASWF-Digital-Assets-1.1
• Baekmuk
• Bahyph
• Barr
• Beerware
• Bitstream-Charter
• Bitstream-Vera
• BitTorrent-1.0
• blessing
• Boehm-GC
• Borceux
• BSD-2-Clause-Views
• BSD-3-Clause-Attribution
• BSD-3-Clause-flex
• BSD-3-Clause-HP
• BSD-3-Clause-Modification
• BSD-3-Clause-No-Military-License
• BSD-3-Clause-No-Nuclear-License-2014
• BSD-3-Clause-No-Nuclear-License
• BSD-3-Clause-No-Nuclear-Warranty
• BSD-3-Clause-Open-MPI
• BSD-3-Clause-Sun
• BSD-4-Clause-Shortened
• BSD-4-Clause-UC
• BSD-4.3RENO
• BSD-4.3TAHOE
• BSD-Advertising-Acknowledgement
• BSD-Attribution-HPND-disclaimer
• BSD-Inferno-Nettverk
• BSD-Protection
• BSD-Source-Code
• BSD-Systemics
• BUSL-1.1
• bzip2-1.0.6
• C-UDA-1.0
• Caldera
• CC-BY-1.0
• CC-BY-2.0
• CC-BY-2.5-AU
• CC-BY-2.5
• CC-BY-3.0-AT
• CC-BY-3.0-DE
• CC-BY-3.0-IGO
• CC-BY-3.0-NL
• CC-BY-3.0-US
• CC-BY-3.0
• CC-BY-NC-1.0
• CC-BY-NC-2.0
• CC-BY-NC-2.5
• CC-BY-NC-3.0-DE
• CC-BY-NC-3.0
• CC-BY-NC-4.0
• CC-BY-NC-ND-1.0
• CC-BY-NC-ND-2.0
• CC-BY-NC-ND-2.5
• CC-BY-NC-ND-3.0-DE
• CC-BY-NC-ND-3.0-IGO
• CC-BY-NC-ND-3.0
• CC-BY-NC-ND-4.0
• CC-BY-NC-SA-1.0
• CC-BY-NC-SA-2.0-DE
• CC-BY-NC-SA-2.0-FR
• CC-BY-NC-SA-2.0-UK
• CC-BY-NC-SA-2.0
• CC-BY-NC-SA-2.5
• CC-BY-NC-SA-3.0-DE
• CC-BY-NC-SA-3.0-IGO
• CC-BY-NC-SA-3.0
• CC-BY-NC-SA-4.0
• CC-BY-ND-1.0
• CC-BY-ND-2.0
• CC-BY-ND-2.5
• CC-BY-ND-3.0-DE
• CC-BY-ND-3.0
• CC-BY-ND-4.0
• CC-BY-SA-1.0
• CC-BY-SA-2.0-UK
• CC-BY-SA-2.0
• CC-BY-SA-2.1-JP
• CC-BY-SA-2.5
• CC-BY-SA-3.0-AT
• CC-BY-SA-3.0-DE
• CC-BY-SA-3.0-IGO
• CC-BY-SA-3.0
• CC-PDDC
• CDDL-1.1
• CDL-1.0
• CDLA-Permissive-1.0
• CDLA-Permissive-2.0
• CDLA-Sharing-1.0
• CECILL-1.0
• CECILL-1.1
• CERN-OHL-1.1
• CERN-OHL-1.2
• CFITSIO
• check-cvs
• checkmk
• Clips
• CMU-Mach
• CNRI-Jython
• CNRI-Python-GPL-Compatible
• COIL-1.0
• Community-Spec-1.0
• copyleft-next-0.3.0
• copyleft-next-0.3.1
• Cornell-Lossless-JPEG
• CPOL-1.02
• Cronyx
• Crossword
• CrystalStacker
• Cube
• curl
• D-FSL-1.0
• diffmark
• DL-DE-BY-2.0
• DL-DE-ZERO-2.0
• DOC
• Dotseqn
• DRL-1.0
• DSDP
• dtoa
• dvipdfm
• eGenix
• Elastic-2.0
• EPICS
• ErlPL-1.1
• etalab-2.0
• EUPL-1.0
• Eurosym
• FBM
• FDK-AAC
• Ferguson-Twofish
• FreeBSD-DOC
• FreeImage
• FSFUL
• FSFULLR
• FSFULLRWD
• Furuseth
• fwlw
• GD
• GFDL-1.1-invariants-only
• GFDL-1.1-invariants-or-later
• GFDL-1.1-no-invariants-only
• GFDL-1.1-no-invariants-or-later
• GFDL-1.2-invariants-only
• GFDL-1.2-invariants-or-later
• GFDL-1.2-no-invariants-only
• GFDL-1.2-no-invariants-or-later
• GFDL-1.3-invariants-only
• GFDL-1.3-invariants-or-later
• GFDL-1.3-no-invariants-only
• GFDL-1.3-no-invariants-or-later
• Giftware
• GL2PS
• Glide
• Glulxe
• GLWTPL
• GPL-1.0-only
• GPL-1.0-or-later
• Graphics-Gems
• gSOAP-1.3b
• HaskellReport
• Hippocratic-2.1
• HP-1986
• HP-1989
• HPND-DEC
• HPND-doc-sell
• HPND-doc
• HPND-export-US-modify
• HPND-export-US
• HPND-Markus-Kuhn
• HPND-Pbmplus
• HPND-sell-regexpr
• HPND-sell-variant-MIT-disclaimer
• HPND-sell-variant
• HPND-UC
• HTMLTIDY
• IBM-pibs
• IEC-Code-Components-EULA
• IJG-short
• ImageMagick
• Info-ZIP
• Inner-Net-2.0
• Intel-ACPI
• Interbase-1.0
• JasPer-2.0
• JPL-image
• JPNIC
• JSON
• Kastrup
• Kazlib
• Knuth-CTAN
• LAL-1.2
• LAL-1.3
• Latex2e-translated-notice
• Latex2e
• Leptonica
• LGPLLR
• libpng-2.0
• Libpng
• libselinux-1.0
• libtiff
• libutil-David-Nugent
• Linux-man-pages-1-para
• Linux-man-pages-copyleft-2-para
• Linux-man-pages-copyleft-var
• Linux-man-pages-copyleft
• Linux-OpenIB
• LOOP
• LPPL-1.0
• LPPL-1.1
• lsof
• Lucida-Bitmap-Fonts
• LZMA-SDK-9.11-to-9.20
• LZMA-SDK-9.22
• magaz
• MakeIndex
• Martin-Birgmeier
• McPhee-slideshow
• metamail
• Minpack
• MIT-advertising
• MIT-CMU
• MIT-enna
• MIT-feh
• MIT-Festival
• MIT-open-group
• MIT-testregex
• MIT-Wu
• MITNFA
• MMIXware
• MPEG-SSG
• mpi-permissive
• mpich2
• mplus
• MS-LPL
• MTLL
• MulanPSL-1.0
• Mup
• NAIST-2003
• NBPL-1.0
• NCGL-UK-2.0
• Net-SNMP
• NetCDF
• Newsletr
• NICTA-1.0
• NIST-PD-fallback
• NIST-PD
• NIST-Software
• NLOD-1.0
• NLOD-2.0
• NLPL
• Noweb
• NRL
• NTP-0
• O-UDA-1.0
• OCCT-PL
• ODC-By-1.0
• OFFIS
• OFL-1.0-no-RFN
• OFL-1.0-RFN
• OGC-1.0
• OGDL-Taiwan-1.0
• OGL-Canada-2.0
• OGL-UK-1.0
• OGL-UK-2.0
• OGL-UK-3.0
• OLDAP-1.1
• OLDAP-1.2
• OLDAP-1.3
• OLDAP-1.4
• OLDAP-2.0.1
• OLDAP-2.0
• OLDAP-2.1
• OLDAP-2.2.1
• OLDAP-2.2.2
• OLDAP-2.2
• OLDAP-2.4
• OLDAP-2.5
• OLDAP-2.6
• OML
• OpenPBS-2.3
• OPL-1.0
• OPL-UK-3.0
• OPUBL-1.0
• PADL
• Parity-6.0.0
• Parity-7.0.0
• PDDL-1.0
• Plexus
• pnmstitch
• PolyForm-Noncommercial-1.0.0
• PolyForm-Small-Business-1.0.0
• PSF-2.0
• psfrag
• psutils
• Python-2.0.1
• python-ldap
• Qhull
• QPL-1.0-INRIA-2004
• Rdisc
• RHeCos-1.1
• RSA-MD
• Saxpath
• SCEA
• SchemeReport
• Sendmail-8.23
• Sendmail
• SGI-B-1.0
• SGI-B-1.1
• SGI-OpenGL
• SGP4
• SHL-0.5
• SHL-0.51
• SISSL-1.2
• SL
• SMPPL
• SNIA
• snprintf
• Soundex
• Spencer-86
• Spencer-94
• Spencer-99
• ssh-keyscan
• SSH-OpenSSH
• SSH-short
• SSPL-1.0
• SugarCRM-1.1.3
• SunPro
• SWL
• swrule
• Symlinks
• TAPR-OHL-1.0
• TCL
• TCP-wrappers
• TermReadKey
• TMate
• TORQUE-1.1
• TOSL
• TPDL
• TPL-1.0
• TTWL
• TTYP0
• TU-Berlin-1.0
• TU-Berlin-2.0
• UCAR
• ulem
• Unicode-DFS-2015
• Unicode-TOU
• UnixCrypt
• URT-RLE
• VOSTROM
• W3C-19980720
• W3C-20150513
• w3m
• Widget-Workshop
• Wsuipa
• X11-distribute-modifications-variant
• Xdebug-1.03
• Xerox
• Xfig
• xlock
• xpp
• XSkat
• YPL-1.0
• Zed
• Zeeff
• Zimbra-1.4
• zlib-acknowledgement
• ZPL-1.1`

The dependency that it's failing on is in the report. actions/checkout@4.*.* – License: MIT

[github-actions[bot]]

👋 This issue has been marked as stale because it has been open with no activity for 180 days. You can: comment on the issue or remove the stale label to hold stalebot off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.