Reject deprecated SPDX licenses, but be lenient with committed LICENSE files

app/fixtures/licenses/ambiguous-gfdl/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "ambiguous-gfdl-fixture",
+  "version": "1.0.0",
+  "license": "GFDL-1.3"
+}

app/fixtures/licenses/deprecated-agpl/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "deprecated-agpl-fixture",
+  "version": "1.0.0",
+  "license": "AGPL-3.0"
+}

app/src/App/API.purs

@@ -1308,24 +1308,28 @@ instance FsEncodable PursGraphCache where
       Exists.mkExists $ Cache.AsJson cacheKey codec next
 
 -- | Errors that can occur when validating license consistency
-data LicenseValidationError = LicenseMismatch
-  { manifestLicense :: License
-  , detectedLicenses :: Array License
-  }
+data LicenseValidationError
+  = LicenseMismatch { manifest :: License, detected :: Array License }
+  | LicenseParseError (Array { detected :: String, error :: String })
 
 derive instance Eq LicenseValidationError
 
 printLicenseValidationError :: LicenseValidationError -> String
 printLicenseValidationError = case _ of
-  LicenseMismatch { manifestLicense, detectedLicenses } -> Array.fold
+  LicenseMismatch licenses -> Array.fold
     [ "License mismatch: The manifest specifies license '"
-    , License.print manifestLicense
+    , License.print licenses.manifest
     , "' but the following license(s) were detected in your repository: "
-    , String.joinWith ", " (map License.print detectedLicenses)
+    , String.joinWith ", " (map License.print licenses.detected)
     , ". Please ensure your manifest license accurately represents all licenses "
     , "in your repository. If multiple licenses apply, join them using SPDX "
     , "conjunctions (e.g., 'MIT AND Apache-2.0' or 'MIT OR Apache-2.0')."
     ]
+  LicenseParseError failures -> Array.fold
+    [ "License validation failed: one or more detected SPDX license expressions "
+    , "could not be canonicalized.\n"
+    , String.joinWith "\n" (failures <#> \{ detected, error } -> "  - " <> detected <> " (" <> error <> ")")
+    ]
 
 -- | Validate that the license in the manifest is consistent with licenses
 -- | detected in the repository (LICENSE file, package.json, bower.json).
@@ -1344,44 +1348,55 @@ validateLicense packageDir manifestLicense = do
       pure Nothing
     Right detectedStrings -> do
       let
+        parseDetectedLicense :: String -> Either String License
+        parseDetectedLicense detectedLicense = do
+          canonicalized <- License.canonicalizeDetected detectedLicense
+          License.parse canonicalized
+
+        parsedDetectedLicenses :: Array (Tuple String (Either String License))
+        parsedDetectedLicenses =
+          detectedStrings <#> \detectedLicense ->
+            Tuple detectedLicense (parseDetectedLicense detectedLicense)
+
+        parseFailures :: Array { detected :: String, error :: String }
+        parseFailures =
+          parsedDetectedLicenses # Array.mapMaybe \(Tuple detectedLicense parsed) -> case parsed of
+            Left error -> Just { detected: detectedLicense, error }
+            Right _ -> Nothing
+
         parsedLicenses :: Array License
-        parsedLicenses = Array.mapMaybe (hush <<< License.parse) detectedStrings
+        parsedLicenses = parsedDetectedLicenses # Array.mapMaybe \(Tuple _ parsed) -> hush parsed
 
       Log.debug $ "Detected licenses: " <> String.joinWith ", " detectedStrings
 
-      if Array.null parsedLicenses then do
+      if not (Array.null parseFailures) then do
+        Log.warn "Some detected licenses could not be canonicalized."
+        pure $ Just $ LicenseParseError parseFailures
+      else if Array.null parsedLicenses then do
         Log.debug "No licenses detected from repository files, nothing to validate."
         pure Nothing
-      else case License.extractIds manifestLicense of
-        Left err -> do
-          -- This shouldn't be possible (we have already validated the license)
-          -- as part of constructing the manifest
-          Log.warn $ "Could not extract license IDs from manifest: " <> err
+      else do
+        let
+          manifestIds = License.extractIds manifestLicense
+          manifestIdSet = Set.fromFoldable manifestIds
+
+          -- A detected license is covered if all its IDs are in the manifest IDs
+          isCovered :: License -> Boolean
+          isCovered license =
+            License.extractIds license # Array.all \id ->
+              Set.member id manifestIdSet
+
+          uncoveredLicenses :: Array License
+          uncoveredLicenses = Array.filter (not <<< isCovered) parsedLicenses
+
+        if Array.null uncoveredLicenses then do
+          Log.debug "All detected licenses are covered by the manifest license."
           pure Nothing
-        Right manifestIds -> do
-          let
-            manifestIdSet = Set.fromFoldable manifestIds
-
-            -- A detected license is covered if all its IDs are in the manifest IDs
-            isCovered :: License -> Boolean
-            isCovered license = case License.extractIds license of
-              Left _ -> false
-              Right ids -> Array.all (\id -> Set.member id manifestIdSet) ids
-
-            uncoveredLicenses :: Array License
-            uncoveredLicenses = Array.filter (not <<< isCovered) parsedLicenses
-
-          if Array.null uncoveredLicenses then do
-            Log.debug "All detected licenses are covered by the manifest license."
-            pure Nothing
-          else do
-            Log.warn $ Array.fold
-              [ "License mismatch detected: manifest has '"
-              , License.print manifestLicense
-              , "' but detected "
-              , String.joinWith ", " (map License.print parsedLicenses)
-              ]
-            pure $ Just $ LicenseMismatch
-              { manifestLicense
-              , detectedLicenses: uncoveredLicenses
-              }
+        else do
+          Log.warn $ Array.fold
+            [ "License mismatch detected: manifest has '"
+            , License.print manifestLicense
+            , "' but detected "
+            , String.joinWith ", " (map License.print parsedLicenses)
+            ]
+          pure $ Just $ LicenseMismatch { manifest: manifestLicense, detected: uncoveredLicenses }

app/src/App/Legacy/Manifest.purs

@@ -15,6 +15,7 @@ import Registry.App.Prelude
 
 import Codec.JSON.DecodeError as CJ.DecodeError
 import Data.Array as Array
+import Data.Array.NonEmpty as NonEmptyArray
 import Data.Codec as Codec
 import Data.Codec.JSON as CJ
 import Data.Codec.JSON.Common as CJ.Common
@@ -74,9 +75,18 @@ bowerfileToPursJson
   :: Bowerfile
   -> Either String { license :: License, description :: Maybe String, dependencies :: Map PackageName Range }
 bowerfileToPursJson (Bowerfile { description, dependencies, license }) = do
-  parsedLicense <- case Array.mapMaybe (hush <<< License.parse) license of
-    [] -> Left "No valid SPDX license found in bower.json"
-    multiple -> Right $ License.joinWith License.And multiple
+  let
+    parsedLicenses = license <#> \rawLicense ->
+      lmap (\err -> "  - " <> rawLicense <> ": " <> err) $ License.parse rawLicense
+    { fail: parseErrors, success: validLicenses } = partitionEithers parsedLicenses
+
+  parsedLicense <-
+    if not (Array.null parseErrors) then do
+      Left $ "Invalid SPDX license(s) in bower.json:\n" <> String.joinWith "\n" parseErrors
+    else do
+      case NonEmptyArray.fromArray validLicenses of
+        Nothing -> Left "No valid SPDX license found in bower.json"
+        Just multiple -> Right $ License.joinWith License.And multiple
 
   parsedDeps <- parseDependencies dependencies
 

app/test/App/API.purs

@@ -361,7 +361,10 @@ copySourceFiles = Spec.hoistSpec identity (\_ -> Assert.Run.runBaseEffects) $ Sp
 
 licenseValidation :: Spec.Spec Unit
 licenseValidation = do
-  let fixtures = Path.concat [ "app", "fixtures", "licenses", "halogen-hooks" ]
+  let
+    fixtures = Path.concat [ "app", "fixtures", "licenses", "halogen-hooks" ]
+    deprecatedFixture = Path.concat [ "app", "fixtures", "licenses", "deprecated-agpl" ]
+    ambiguousFixture = Path.concat [ "app", "fixtures", "licenses", "ambiguous-gfdl" ]
 
   Spec.describe "validateLicense" do
     Spec.it "Passes when manifest license covers all detected licenses" do
@@ -375,9 +378,9 @@ licenseValidation = do
       let manifestLicense = unsafeLicense "MIT"
       result <- Assert.Run.runBaseEffects $ validateLicense fixtures manifestLicense
       case result of
-        Just (LicenseMismatch { detectedLicenses }) ->
+        Just (LicenseMismatch { detected }) ->
           -- Should detect that Apache-2.0 is not covered
-          Assert.shouldContain (map License.print detectedLicenses) "Apache-2.0"
+          Assert.shouldContain (map License.print detected) "Apache-2.0"
         _ ->
           Assert.fail "Expected LicenseMismatch error"
 
@@ -386,11 +389,11 @@ licenseValidation = do
       let manifestLicense = unsafeLicense "BSD-3-Clause"
       result <- Assert.Run.runBaseEffects $ validateLicense fixtures manifestLicense
       case result of
-        Just (LicenseMismatch { manifestLicense: ml, detectedLicenses }) -> do
+        Just (LicenseMismatch { manifest: ml, detected }) -> do
           Assert.shouldEqual "BSD-3-Clause" (License.print ml)
           -- Both MIT and Apache-2.0 should be in the detected licenses
-          Assert.shouldContain (map License.print detectedLicenses) "MIT"
-          Assert.shouldContain (map License.print detectedLicenses) "Apache-2.0"
+          Assert.shouldContain (map License.print detected) "MIT"
+          Assert.shouldContain (map License.print detected) "Apache-2.0"
         _ ->
           Assert.fail "Expected LicenseMismatch error"
 
@@ -400,5 +403,19 @@ licenseValidation = do
       result <- Assert.Run.runBaseEffects $ validateLicense fixtures manifestLicense
       Assert.shouldEqual Nothing result
 
+    Spec.it "Canonicalizes deterministic deprecated detected licenses" do
+      let manifestLicense = unsafeLicense "AGPL-3.0-only"
+      result <- Assert.Run.runBaseEffects $ validateLicense deprecatedFixture manifestLicense
+      Assert.shouldEqual Nothing result
+
+    Spec.it "Fails when detected licenses have ambiguous deprecated identifiers" do
+      let manifestLicense = unsafeLicense "GFDL-1.3-only"
+      result <- Assert.Run.runBaseEffects $ validateLicense ambiguousFixture manifestLicense
+      case result of
+        Just (LicenseParseError failures) ->
+          Assert.shouldContain (map _.detected failures) "GFDL-1.3"
+        _ ->
+          Assert.fail "Expected UncanonicalizableDetectedLicenses error"
+
 unsafeLicense :: String -> License
 unsafeLicense str = unsafeFromRight $ License.parse str

lib/src/License.js

@@ -1,41 +1,40 @@
 import parse from "spdx-expression-parse";
+import currentIds from "spdx-license-ids/index.json" with { type: "json" };
+import deprecatedIds from "spdx-license-ids/deprecated.json" with { type: "json" };
 
-export const parseSPDXLicenseIdImpl = (onError, onSuccess, identifier) => {
-  try {
-    parse(identifier);
-    return onSuccess(identifier);
-  } catch (_) {
-    return onError(`Invalid SPDX identifier ${identifier}`);
+export { currentIds, deprecatedIds };
+
+const toTree = (onError, node, onLeaf, onAnd, onOr) => {
+  if (node.license != null) {
+    const plus = node.plus === true;
+    const exception = node.exception ?? "";
+    return onLeaf(node.license)(plus)(exception);
   }
-};
 
-// Extract all license IDs from a parsed SPDX expression AST.
-// The AST structure from spdx-expression-parse is:
-// - Simple: { license: 'MIT' }
-// - With exception: { license: 'GPL-2.0', exception: 'Classpath-exception-2.0' }
-// - Compound: { left: {...}, conjunction: 'and'|'or', right: {...} }
-const extractLicenseIds = (ast) => {
-  const ids = new Set();
-
-  const walk = (node) => {
-    if (!node) return;
-    if (node.license) {
-      // Normalize to uppercase for case-insensitive comparison
-      ids.add(node.license.toUpperCase());
+  if (node.left != null && node.right != null) {
+    const left = toTree(onError, node.left, onLeaf, onAnd, onOr);
+    const right = toTree(onError, node.right, onLeaf, onAnd, onOr);
+
+    if (node.conjunction === "and") {
+      return onAnd(left)(right);
     }
-    if (node.left) walk(node.left);
-    if (node.right) walk(node.right);
-  };
 
-  walk(ast);
-  return Array.from(ids);
+    if (node.conjunction === "or") {
+      return onOr(left)(right);
+    }
+
+    return onError(`Unsupported SPDX conjunction '${String(node.conjunction)}'`);
+  }
+
+  return onError("Unsupported SPDX AST node");
 };
 
-export const extractLicenseIdsImpl = (onError, onSuccess, expression) => {
+export const parseLicenseTreeImpl = (onError, onLeaf, onAnd, onOr, expression) => {
   try {
     const ast = parse(expression);
-    return onSuccess(extractLicenseIds(ast));
-  } catch (_) {
-    return onError(`Invalid SPDX expression: ${expression}`);
+    return toTree(onError, ast, onLeaf, onAnd, onOr);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return onError(`Invalid SPDX expression '${expression}': ${message}`);
   }
 };