Skip to content

fix(license): canonicalize LicenseRef-scancode SPDX keys to mirror license keys#1223

Merged
mstykow merged 1 commit into
mainfrom
fix/license-spdx-key-canonicalization
Jul 4, 2026
Merged

fix(license): canonicalize LicenseRef-scancode SPDX keys to mirror license keys#1223
mstykow merged 1 commit into
mainfrom
fix/license-spdx-key-canonicalization

Conversation

@mstykow

@mstykow mstykow commented Jul 4, 2026

Copy link
Copy Markdown
Owner

Summary

  • Upstream ScanCode enforces an arbitrary "spdx_license_key must be 50 characters or less" lint (licensedcode/models.py) that squashed or truncated dozens of LicenseRef-scancode-* SPDX keys — e.g. LicenseRef-scancode-openssl-exception-lgpl3.0plus instead of the canonical LicenseRef-scancode-openssl-exception-lgpl-3.0-plus.
  • For the LicenseRef-scancode- namespace the identifier is by definition the license key with the namespace prefix, so any deviation is a distortion, not a semantic choice. Provenant applies no length limit.
  • New build-time pass spdx_key_canonicalization restores the canonical LicenseRef-scancode-<key> form when the embedded index is generated, keeping the previous value in other_spdx_license_keys so it stays recognized on input (backward compatible).
  • An audit of all 2,733 licenses found 50 deviations: 49 are fixed by the general rule; 1 (tgc-spec-license-v2) carries an upstream typo in the license key while its SPDX key is already correct (tcg, for "Trusted Computing Group"). Mirroring the key would regress that correct SPDX key, and renaming the key would drop a ScanCode-compatible identifier with no alias mechanism, so it is exempted from the pass and left exactly as upstream has it.

Issues

Scope and exclusions

  • Included: build-time canonicalization of LicenseRef-scancode-* SPDX keys (with one documented exemption); regenerated embedded license_index.zst; docs note; unit + end-to-end tests.
  • Explicit exclusions: no changes to license detection/matching behavior (both spellings were already accepted on input and still are); no changes to real (non-LicenseRef) SPDX ids; no upstream ScanCode changes.

How to verify

  • Emission is the only user-visible change. Confirm the embedded artifact carries canonical keys:
    cargo test --lib test_embedded_licenseref_spdx_keys_are_canonicalized
  • Artifact is deterministic/committed: cargo run --manifest-path xtask/Cargo.toml --bin generate-index-artifact -- --check (prints "Artifact is up to date").
  • Recognition is unchanged: both the canonical and the old squashed form remain in the reverse lookup (rid_by_spdx_key), so declared-license inputs using either spelling still resolve.

Intentional differences from Python

  • Provenant does not enforce ScanCode's 50-character spdx_license_key lint, so it emits the canonical dashed LicenseRef-scancode-<key> identifiers that the lint forced upstream to squash.
  • No key or parity divergence: tgc-spec-license-v2 (an upstream key typo whose SPDX key is already correct) is left untouched, so PV's key output stays ScanCode-compatible.

Expected-output fixture changes

  • Files changed: resources/license_detection/license_index.zst (regenerated embedded artifact).
  • Why the new expected output is correct: the regenerated artifact carries the corrected spdx_license_key / other_spdx_license_keys values; no test golden fixtures referenced the old squashed keys.

🤖 Generated with Claude Code

@greptile-apps

greptile-apps Bot commented Jul 4, 2026

Copy link
Copy Markdown

Greptile Summary

This PR canonicalizes ScanCode LicenseRef SPDX keys in the embedded license index. The main changes are:

  • Adds a build-time SPDX key canonicalization pass.
  • Preserves old squashed SPDX keys as aliases.
  • Keeps tgc-spec-license-v2 as the ScanCode key while preserving its correct SPDX key.
  • Regenerates the embedded license index.
  • Adds documentation and tests for the new behavior.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
src/license_detection/spdx_key_canonicalization.rs Adds the canonicalization pass and exempts the misspelled ScanCode key case.
xtask/src/bin/generate_index_artifact.rs Runs canonicalization before fingerprinting and serializing the embedded artifact.
src/license_detection/tests.rs Adds tests for canonical SPDX output and the tgc-spec-license-v2 mapping.
src/license_detection/models/loaded_license.rs Adds Default for test construction of loaded licenses.
docs/LICENSE_DETECTION_ARCHITECTURE.md Documents the LicenseRef-scancode-* canonicalization rule.

Reviews (2): Last reviewed commit: "fix(license): canonicalize LicenseRef-sc..." | Re-trigger Greptile

Comment thread src/license_detection/spdx_key_canonicalization.rs Outdated
…cense keys

Upstream ScanCode enforces an arbitrary "spdx_license_key must be 50
characters or less" lint that squashed or truncated dozens of
LicenseRef-scancode-* SPDX keys (e.g.
LicenseRef-scancode-openssl-exception-lgpl3.0plus instead of the canonical
...lgpl-3.0-plus; see aboutcode-org/scancode-toolkit#5221). For the
LicenseRef-scancode namespace the identifier is by definition the license
key with the namespace prefix, so any deviation is a distortion, not a
semantic choice.

Provenant applies no length limit, so restore the canonical form at
index-build time and keep the previous value in other_spdx_license_keys
for backward compatibility. An audit of all 2733 licenses found 50 such
deviations: 49 are canonicalized by the general rule; 1
(tgc-spec-license-v2) carries an upstream typo in the license *key* while
its SPDX key is already correct (tcg), so it is exempted from the pass
(mirroring the key would regress the correct SPDX key, and renaming the
key would drop a ScanCode-compatible identifier with no alias mechanism).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Maxim Stykow <maxim.stykow@gmail.com>
@mstykow mstykow force-pushed the fix/license-spdx-key-canonicalization branch from f24d959 to 65a1399 Compare July 4, 2026 13:05
@mstykow mstykow merged commit 0f559aa into main Jul 4, 2026
17 checks passed
@mstykow mstykow deleted the fix/license-spdx-key-canonicalization branch July 4, 2026 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant