Inconsistent Ordering of Rules in LicenseNameMapping causes unwanted mappings.
Closed this issue · 2 comments
duph97 commented
The following component is mapped to LGPL-2.1-or-later. Rule 94 is applied as the declared license matches.
Component:
Group ID | Artifact ID | Version | License | License URL | Normalized License Type | Normalized License |
---|---|---|---|---|---|---|
org.hibernate.common | hibernate-commons-annotations | 5.0.4.Final | GNU Lesser General Public License v2.1 or later | http://www.gnu.org/licenses/lgpl-2.1.html | OSS-SPDX | LGPL-2.1-or-later |
LicenseNameMapping rules:
Rule ID | License name in Artifact | License URL in Artifact | Type | Normalized SPDX-Id |
---|---|---|---|---|
94 | GNU Lesser General Public License v2.1 or later | OSS-SPDX | LGPL-2.1-or-later | |
100 | https?://www.gnu.org/licenses/lgpl-2.1.*(REGEX) | OSS-SPDX | LGPL-2.1-only | |
101 | https?://www.gnu.org/licenses/old-licenses/lgpl-2.1.*(REGEX) | OSS-SPDX | LGPL-2.1-only | |
102 | https?://www.opensource.org/licenses/LGPL-2.1(REGEX) | OSS-SPDX | LGPL-2.1-only |
However, if the ordering of the rules is changed so that the rules 100-102 are above rule 94, the component will be mapped to LGPL-2.1-only which is wrong. Here rule 100 will fire.
Group ID | Artifact ID | Version | License | License URL | Normalized License Type | Normalized License |
---|---|---|---|---|---|---|
org.hibernate.common | hibernate-commons-annotations | 5.0.4.Final | GNU Lesser General Public License v2.1 or later | http://www.gnu.org/licenses/lgpl-2.1.html | OSS-SPDX | LGPL-2.1-only |
LicenseNameMapping rules:
Rule ID | License name in Artifact | License URL in Artifact | Type | Normalized SPDX-Id |
---|---|---|---|---|
100 | https?://www.gnu.org/licenses/lgpl-2.1.*(REGEX) | OSS-SPDX | LGPL-2.1-only | |
101 | https?://www.gnu.org/licenses/old-licenses/lgpl-2.1.*(REGEX) | OSS-SPDX | LGPL-2.1-only | |
102 | https?://www.opensource.org/licenses/LGPL-2.1(REGEX) | OSS-SPDX | LGPL-2.1-only | |
94 | GNU Lesser General Public License v2.1 or later | OSS-SPDX | LGPL-2.1-or-later |
Currently rules 100-102 are above the more specific LGPL-2.1-or-later rules like rule 94. This causes incorrect mappings. The rules are ordered primarely by column E (Normalized Spdx-Id). We need to make sure the ordering is consistent or overthink the concept of mapping licenses based on the Declared URL.
duph97 commented
Solution:
- Rules are to be ordered from A-Z descending by column "Normalized SPDX-ID"
- Always manually put "-or-later" rules before "-only" rules
ohecker commented
Merged and closed.