feat(model)!: Stop silently ignoring invalid declared license mappings

Previously, `PackageCuration.apply()` silently ignored declared license mapping entries with invalid SPDX expressions. For example, if one accidentally omits the `LicenseRef-` prefix, the mapping is just silently ignored. Add a check that all values in the `Map` are valid SPDX expression into the constructor, to fail as early as possible. When used via a `FilePackageCurationProvider`, ORT now fails with the error message pointing to the problematic curation file path. Fixes: #7828. Signed-off-by: Frank Viernau <frank_viernau@epam.com>
oss-review-toolkit · Jun 17, 2024 · 9e6bf29 · 9e6bf29
1 parent 9b0a825
commit 9e6bf29
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/model/src/main/kotlin/PackageCurationData.kt b/model/src/main/kotlin/PackageCurationData.kt
@@ -24,6 +24,7 @@ import com.fasterxml.jackson.annotation.JsonInclude
 import org.ossreviewtoolkit.utils.common.zip
 import org.ossreviewtoolkit.utils.ort.DeclaredLicenseProcessor
 import org.ossreviewtoolkit.utils.spdx.SpdxExpression
+import org.ossreviewtoolkit.utils.spdx.SpdxExpression.Strictness.ALLOW_LICENSEREF_EXCEPTIONS
 
 /**
  * This class contains curation data for a package. It is used to amend the automatically detected metadata for a
@@ -108,6 +109,14 @@ data class PackageCurationData(
     @JsonInclude(JsonInclude.Include.NON_NULL)
     val sourceCodeOrigins: List<SourceCodeOrigin>? = null
 ) {
+    init {
+        declaredLicenseMapping.forEach { (key, value) ->
+            require(value.isValid(ALLOW_LICENSEREF_EXCEPTIONS)) {
+                "The declared license '$key' is configured to map to '$value' which is not a valid SPDX expression."
+            }
+        }
+    }
+
     /**
      * Apply this [PackageCuration] to [targetPackage] by overriding all values of [targetPackage] with non-null values
      * of this [PackageCurationData], and return the resulting [CuratedPackage].