Failure calling curation patch API with certain license expressions

[qtomlinson]

Expected: should be able to call patch /curate with payload include valid license expressions

Observed: Error message: {"errors": [[{"message": "Invalid license in curation","error": "2.25.1 licensed.declared with value \"GPL-2.0-Only AND GPL-3.0-Or-Later AND LGPL-2.1-Only AND MPL-1.1\" is not SPDX compliant"}]],"patchesInError": [{"coordinates": {"type": "maven","provider": "mavencentral","namespace": "org.glassfish.jersey.core","name": "jersey-client"},"revisions": {"2.25.1": {"licensed": {"declared": "GPL-2.0-Only AND GPL-3.0-Or-Later AND LGPL-2.1-Only AND MPL-1.1"}}}}]}

Steps to reproduce: curl -X PATCH "https://dev-api.clearlydefined.io/curations" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"contributionInfo\":{\"summary\":\"test\",\"details\":\"test details\",\"resolution\":\"test resolution\",\"type\":\"Missing\"},\"patches\":[{\"coordinates\":{\"type\":\"maven\",\"provider\":\"mavencentral\",\"namespace\":\"org.glassfish.jersey.core\",\"name\":\"jersey-client\"},\"revisions\":{\"2.25.1\":{\"licensed\":{\"declared\":\"GPL-2.0-Only AND GPL-3.0-Or-Later AND LGPL-2.1-Only AND MPL-1.1\"}}}}]}"

[yashkohli88]

I tried debugging the curations API and found that the license name should be exactly same as the identifier present in the spdx list as service is using the spdx parser to identify the license.

Then one more thing to take care of while curating complex license expression is to add brackets in some of the expressions. One of such case is described below.

Below is the license expression used to curate these three licenses successfully. Here is the PR for the curation which I tried on my local system and personal repo - https://github.com/yashkohli88/curated-data-dev/pull/4 License expression - GPL-2.0-only OR (LGPL-2.1-only OR MPL-1.1)

The difference in the parsed license expression and the input license expression is at the Line 79

Below image with breakpoint on the same line confirms.

The normalize() function is imported from normalize()

The dependency that is responsible for this difference is the parse function inside spdx-expression-parse

[qtomlinson]

Found a couple issues:

1. SPDX.stringify (called by SPDX.normalize)

   • stringify needs to be more simplified. LGPL-2.1-only OR MIT OR BSD-3-Clause is the simplified form and no extra brackets are needed.
   • PR ready for review at https://github.com/clearlydefined/spdx/pull/30

2. != SPDX.normalized

   • Question 1, contains NOASSERTION, should not be allowed to curate.
   • Question 2,
     • what if the license expression has extra brackets?
       e.g., 'MIT AND (Apache-2.0 AND AGPL-1.0)'
     • upper or lower case identifier are all valid based on SPDX specification https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-expressions/#d4-composite-license-expressions e.g., 'mit AND apache-2.0'
     • if curation is not allowed as per current behavior, need to have a more descriptive error message, so user knows how to correct the license expression to the most simplified form.