Incorrect SPDX license parsing

Bug

Parsing gives false positives when SPDX-License-Identifier appears twice in the document (or so it seems) even when it is not a part of header/could not be considered licensing information.

MVC from GitHub Actions Workflow:

# SPDX-FileCopyrightText: © 2024 foo <https://github.com/bar>
#
# SPDX-License-Identifier: Apache-2.0

---
run: |
  echo "# SPDX-FileCopyrightText: © 2024 GitHub <https://github.com>" > .gitignore
  echo "#" >> .gitignore
  echo "# SPDX-License-Identifier: CC0-1.0" >> .gitignore
  echo "" >> .gitignore

which gives:

reuse.extract - ERROR - Could not parse 'CC0-1.0"'
reuse.extract - ERROR - 'FILE_XYZ.yml' holds an SPDX expression that cannot be parsed, skipping the file

reuse --version is 5.0.2.

Additional info

"# SPDX-FileCopyrightText: © 2024 GitHub <https://github.com>" in the case above is parsed correctly (I assume only the first match is taken into the account in this case)
If " >> .gitignore is removed from the offending line (giving us only echo "# SPDX-License-Identifier: CC0-1.0) the file is linted correctly
Same license specifiers in both cases does not change anything
Likely independent from file format and related to regex matching

Workaround

Do not put anything after the SPDX-License-Identifier: <LICENSE> if possible, e.g.:

# SPDX-FileCopyrightText: © 2024 foo <https://github.com/bar>
#
# SPDX-License-Identifier: Apache-2.0

run: >
  echo '# SPDX-FileCopyrightText: © 2024 GitHub <https://github.com>
  #
  # SPDX-License-Identifier: CC0-1.0
  #' > .gitignore

or (probably) use .file.license to license the file

fsfe / reuse-tool

Incorrect SPDX license parsing #1105

Bug

Additional info

Workaround