[fix] Properly handle license abbrevs that match SPDX and legacy

Some legacy license abbreviations match SPDX abbreviations.  In these
cases, do not assume the license expression is SPDX unless the other
tokens are SPDX tokens.  This happens in a handful of cases with
license abbreviations like "Zlib" or "MIT" and maybe a few others.

Fixes: rpminspect#1378

Signed-off-by: David Cantrell <[email protected]>

Author: dcantrell

data/remedy/generic.toml

@@ -52,6 +52,12 @@ case-insensitive.  It is only the boolean terms that must be in all
 capital letters.
 """
 
+mixed_license_tags = """
+The License tag contains mixed used of SPDX and legacy license
+identifiers.  You must use either all SPDX license identifiers or all
+legacy license identifiers; you cannot mix the two systems.
+"""
+
 elf_textrel = """
 Ensure all object files are compiled with -fPIC.
 """

include/remedy.h

@@ -100,6 +100,7 @@ extern "C"
 #define REMEDY_VENDOR                    84
 #define REMEDY_VIRUS                     85
 #define REMEDY_XML                       86
+#define REMEDY_MIXED_LICENSE_TAGS        87
 
 /* Initialize default remedy strings */
 void init_remedy_strings(void);

lib/inspect_license.c

@@ -29,6 +29,8 @@
 /* Globals */
 static const char *srpm = NULL;
 static int nspdx = 0;
+static int nlegacy = 0;
+static int ndual = 0;
 string_list_t *booleans = NULL;
 
 /* Local helper functions */
@@ -168,13 +170,20 @@ static bool lic_cb(const char *license_name, void *cb_data)
     if (!approved) {
         /* invalid - do nothing */
         goto done;
+    }
+
+    if (spdx_abbrev && !strcasecmp(lic, spdx_abbrev) && list_contains(fedora_abbrev, lic)) {
+        /* license token is valid under the legacy system and SPDX */
+        data->valid = true;
+        ndual++;
     } else if (spdx_abbrev && !strcasecmp(lic, spdx_abbrev)) {
         /* SPDX identifier matched */
         data->valid = true;
         nspdx++;
     } else if (list_contains(fedora_abbrev, lic) || (list_len(fedora_abbrev) == 0 && spdx_abbrev == NULL && list_contains(fedora_name, lic))) {
         /* Old Fedora abbreviation matches -or- there are no Fedora abbreviations but a Fedora name matches */
         data->valid = true;
+        nlegacy++;
     }
 
 done:
@@ -544,21 +553,36 @@ static bool is_valid_license(struct rpminspect *ri, struct result_params *params
     free(wlicense);
 
     /* for SPDX tags found, ensure booleans are all uppercase */
-    if (nspdx > 0 && (booleans && !TAILQ_EMPTY(booleans))) {
+    if (nlegacy == 0 && ndual == 0 && nspdx > 0 && (booleans && !TAILQ_EMPTY(booleans))) {
         TAILQ_FOREACH(entry, booleans, items) {
             if ((!strcasecmp(entry->data, "AND") && strcmp(entry->data, "AND"))
                 || (!strcasecmp(entry->data, "OR") && strcmp(entry->data, "OR"))) {
                 r = false;
 
                 params->severity = RESULT_BAD;
                 params->remedy = get_remedy(REMEDY_INVALID_BOOLEAN);
-                xasprintf(&params->msg, _("SPDX license expressions in use, but an invalid boolean was found: %s; when using SPDX expression the booleans must be in all caps."), entry->data);
+                xasprintf(&params->msg, _("SPDX license expressions in use in %s, but an invalid boolean was found: %s; when using SPDX expression the booleans must be in all caps."), nevra, entry->data);
+                xasprintf(&params->details, _("License: %s"), license);
                 add_result(ri, params);
                 free(params->msg);
+                free(params->details);
+                params->details = NULL;
             }
         }
     }
 
+    /* mixed SPDX and legacy tags are forbidden */
+    if (nlegacy > 0 && nspdx > 0 && ndual == 0) {
+        params->severity = RESULT_BAD;
+        params->remedy = get_remedy(REMEDY_MIXED_LICENSE_TAGS);
+        xasprintf(&params->msg, _("Mixed SPDX and legacy license identifiers found in %s."), nevra);
+        xasprintf(&params->details, _("License: %s"), license);
+        add_result(ri, params);
+        free(params->msg);
+        free(params->details);
+        params->details = NULL;
+    }
+
     return r;
 }
 

lib/remedy.c

@@ -102,6 +102,7 @@ struct remedy remedies[] = {
     { REMEDY_VENDOR, "vendor", NULL },
     { REMEDY_VIRUS, "virus", NULL },
     { REMEDY_XML, "xml", NULL },
+    { REMEDY_MIXED_LICENSE_TAGS, "mixed_license_tags", NULL },
     { 0, NULL, NULL }
 };
 
@@ -196,6 +197,7 @@ void init_remedy_strings(void)
     remedies[REMEDY_VENDOR].remedy = _("Change the string specified on the 'Vendor:' line in the spec file.");
     remedies[REMEDY_VIRUS].remedy = _("ClamAV has found a virus in the named file.  This may be a false positive, but you should manually inspect the file in question to ensure it is clean.  This may be a problem with the ClamAV database or detection.  If you are sure the file in question is clean, please file a bug with rpminspect for further help.");
     remedies[REMEDY_XML].remedy = _("Correct the reported errors in the XML document.");
+    remedies[REMEDY_MIXED_LICENSE_TAGS].remedy = _("The License tag contains mixed used of SPDX and legacy license identifiers.  You must use either all SPDX license identifiers or all legacy license identifiers; you cannot mix the two systems.");
 
     return;
 }

po/POTFILES

@@ -1,5 +1,7 @@
 include/compat/queue.h
 include/constants.h
+include/helpers.h
+include/i18n.h
 include/init.h
 include/inspect.h
 include/internal/callbacks.h
@@ -8,7 +10,7 @@ include/output.h
 include/parser.h
 include/queue.h
 include/readelf.h
-include/results.h
+include/remedy.h
 include/rpminspect.h
 include/secrules.h
 include/types.h
@@ -107,6 +109,7 @@ lib/readelf.c
 lib/readfile.c
 lib/rebase.c
 lib/release.c
+lib/remedy.c
 lib/results.c
 lib/rmtree.c
 lib/rpm.c