Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix bug where GPL-2.0 failed to match GPL-2.0-only #42

Merged
merged 2 commits into from
Mar 21, 2023
Merged

fix bug where GPL-2.0 failed to match GPL-2.0-only #42

merged 2 commits into from
Mar 21, 2023

Conversation

elrayle
Copy link
Collaborator

@elrayle elrayle commented Mar 20, 2023

Description

Testing the policy service identified a bug where GPL-2.0 was not allowed for GPL-2.0-only. This PR does some cleanup on node.go to lay out the comparisons more clearly and fix the bug.

Changes

Most of the changes are adding test-cases that would have caught the bug. The only substantive changes are in the range checks in node.go. There is one minor change to compareEQ() to short cut the comparison if the two licenses are the same.

  • check all simple cases before checking ranges (i.e. nodes are not licenses, exceptions are not equal, licenses are exactly equal) This is less expensive than range checks.
  • remove any simple checks that were repeated in range check methods
  • add comment describing license ranges
  • add comments about what is expected depending on whether one or both licenses have has_plus==true
  • fix the bug by checking that both license are in the same range when neither node has_plus

@elrayle elrayle requested a review from ajhenry as a code owner March 20, 2023 14:43
elrayle
elrayle commented Mar 20, 2023
View reviewed changes
spdxexp/node.go
// first, second
return nodes.licensesExactlyEqual()
// first, second requires both to be in same range group
return nodes.rangesEqual()
Copy link
Collaborator Author

@elrayle elrayle Mar 20, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the change that fixes the bug. It makes sure that if neither license hasPlus, then the licenses must be in the same range (e.g. GPL-2.0 and GPL-2.0-only are in the same range).

Previously, it checked that the licenses were exactly the same. (e.g. GPL-2.0 != GPL-2.0-only). Since these should be treated as equivalent, but aren't literally the same, it led to the bug.

dangoor
dangoor approved these changes Mar 21, 2023
View reviewed changes
Copy link
Contributor

@dangoor dangoor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I asked if exceptions are handled elsewhere and it certainly looks to be the case from the test that appears at the very end of the PR view (satisfies_test.go line 119). Great that you were able to spot this problem!

spdxexp/compare.go
@@ -1,5 +1,13 @@
package spdxexp

// The compare methods determine if two ranges are greater than, less than or equal within the same license group.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very helpful comment!

spdxexp/node.go
@@ -238,7 +256,7 @@ func (nodes *nodePair) rangesAreCompatible() bool {
// When both licenses allow later versions (i.e. hasPlus==true), being in the same license
// group is sufficient for compatibility, as long as, any exception is also compatible
// Example: All Apache licenses (e.g. Apache-1.0, Apache-2.0) are in the same license group
return sameLicenseGroup(firstRange, secondRange) && nodes.exceptionsAreCompatible()
return sameLicenseGroup(firstRange, secondRange)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume exception compatibility is still handled elsewhere?

elrayle
elrayle commented Mar 21, 2023
View reviewed changes
spdxexp/node.go
if !nodes.firstNode.isLicense() || !nodes.secondNode.isLicense() {
return false
}
if !nodes.exceptionsAreCompatible() {
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dangoor This is the check for exceptions. It is handled before checking ranges.

@elrayle elrayle merged commit 0e88248 into main Mar 21, 2023
@elrayle elrayle deleted the elr/fix-only branch March 21, 2023 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dangoor dangoor dangoor approved these changes

@ajhenry ajhenry Awaiting requested review from ajhenry ajhenry is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@elrayle @dangoor