Description
ORT detects multiple instances of GPL in the Gpgme dependency, but no rule violation is raised in the scan report.
For context, our rules.kts contains the following:
fun RuleSet.strongCopyleftInDependencyRule() = dependencyRule("STRONG_COPYLEFT_IN_DEPENDENCY") {
licenseRule("STRONG_COPYLEFT_IN_DEPENDENCY", LicenseView.CONCLUDED_OR_DECLARED_OR_DETECTED) {
require {
+isStrongCopyleftLicense() # includes GPL
-isExcluded()
...
According to the documentation, CONCLUDED_OR_DECLARED_OR_DETECTED ignores detected licenses if a license is concluded or declared.
Because the SPDX attribute licenseConcluded is mandatory, the docs suggest to use NOASSERTION to represent a non present value.
I would expect that the license rule would interpret NOASSERTION as “no license is concluded or declared”, evaluate the detected licenses and raise rule violations, but this is not the case. In fact, I see in the ‘Licenses’ section of the gpgme entry in the scan report “Declared (SPDX) NOASSERTION”.
ORT behaves as expected when replacing NOASSERTION with NONE : rules violations are raised and the scan report shows “Declared NONE” and no “Declared (SPXD)“.
The SPDX file:
SPDXID: SPDXRef-DOCUMENT
spdxVersion: SPDX-2.2
dataLicense: CC0-1.0
name: test
documentNamespace: test
creationInfo:
created: 2025-02-24T00:00:00Z
creators:
- "Organization: HERE"
documentDescribes:
- SPDXRef-package-here-test
packages:
- SPDXID: SPDXRef-package-here-test
name: here-test
downloadLocation: https://gitlab.here.com/test.git
licenseConcluded: NOASSERTION
licenseDeclared: NOASSERTION
copyrightText: Copyright (C) 2025 HERE Global B.V. and its affiliate(s).
- SPDXID: SPDXRef-Package-Gpgme
name: gpgme
versionInfo: 1.15.1
downloadLocation: https://www.gnupg.org/ftp/gcrypt/gpgme/gpgme-1.15.1.tar.bz2
licenseConcluded: NOASSERTION
licenseDeclared: NOASSERTION
relationships:
- spdxElementId: SPDXRef-Package-Gpgme
relationshipType: DEPENDENCY_OF
relatedSpdxElement: SPDXRef-package-here-posbe-backend-cloudio