fix(license): canonicalize LicenseRef-scancode SPDX keys to mirror license keys#1223
Merged
Merged
Conversation
Greptile SummaryThis PR canonicalizes ScanCode
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (2): Last reviewed commit: "fix(license): canonicalize LicenseRef-sc..." | Re-trigger Greptile |
…cense keys Upstream ScanCode enforces an arbitrary "spdx_license_key must be 50 characters or less" lint that squashed or truncated dozens of LicenseRef-scancode-* SPDX keys (e.g. LicenseRef-scancode-openssl-exception-lgpl3.0plus instead of the canonical ...lgpl-3.0-plus; see aboutcode-org/scancode-toolkit#5221). For the LicenseRef-scancode namespace the identifier is by definition the license key with the namespace prefix, so any deviation is a distortion, not a semantic choice. Provenant applies no length limit, so restore the canonical form at index-build time and keep the previous value in other_spdx_license_keys for backward compatibility. An audit of all 2733 licenses found 50 such deviations: 49 are canonicalized by the general rule; 1 (tgc-spec-license-v2) carries an upstream typo in the license *key* while its SPDX key is already correct (tcg), so it is exempted from the pass (mirroring the key would regress the correct SPDX key, and renaming the key would drop a ScanCode-compatible identifier with no alias mechanism). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Maxim Stykow <maxim.stykow@gmail.com>
f24d959 to
65a1399
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
licensedcode/models.py) that squashed or truncated dozens ofLicenseRef-scancode-*SPDX keys — e.g.LicenseRef-scancode-openssl-exception-lgpl3.0plusinstead of the canonicalLicenseRef-scancode-openssl-exception-lgpl-3.0-plus.LicenseRef-scancode-namespace the identifier is by definition the licensekeywith the namespace prefix, so any deviation is a distortion, not a semantic choice. Provenant applies no length limit.spdx_key_canonicalizationrestores the canonicalLicenseRef-scancode-<key>form when the embedded index is generated, keeping the previous value inother_spdx_license_keysso it stays recognized on input (backward compatible).tgc-spec-license-v2) carries an upstream typo in the license key while its SPDX key is already correct (tcg, for "Trusted Computing Group"). Mirroring the key would regress that correct SPDX key, and renaming the key would drop a ScanCode-compatible identifier with no alias mechanism, so it is exempted from the pass and left exactly as upstream has it.Issues
openssl-exception-lgpl-3.0-plusprimaryspdx_license_keyaboutcode-org/scancode-toolkit#5221 across the whole dataset, PV-side (no upstream dependency).Scope and exclusions
LicenseRef-scancode-*SPDX keys (with one documented exemption); regenerated embeddedlicense_index.zst; docs note; unit + end-to-end tests.LicenseRef) SPDX ids; no upstream ScanCode changes.How to verify
cargo test --lib test_embedded_licenseref_spdx_keys_are_canonicalizedcargo run --manifest-path xtask/Cargo.toml --bin generate-index-artifact -- --check(prints "Artifact is up to date").rid_by_spdx_key), so declared-license inputs using either spelling still resolve.Intentional differences from Python
spdx_license_keylint, so it emits the canonical dashedLicenseRef-scancode-<key>identifiers that the lint forced upstream to squash.tgc-spec-license-v2(an upstream key typo whose SPDX key is already correct) is left untouched, so PV's key output stays ScanCode-compatible.Expected-output fixture changes
resources/license_detection/license_index.zst(regenerated embedded artifact).spdx_license_key/other_spdx_license_keysvalues; no test golden fixtures referenced the old squashed keys.🤖 Generated with Claude Code