Problem
Projects with valid licenses that include SPDX WITH exception clauses (e.g., Apache-2.0 WITH LLVM-exception) are incorrectly failing the OSPS-LE-02.01 evaluation. The license expression is not being parsed correctly — the WITH <exception> suffix is treated as part of the license ID, causing it to fail validation against the SPDX license list.
Additionally, NOASSERTION — a valid SPDX keyword — is being flagged as an invalid license instead of being skipped.
Example
The https://github.com/kokkos/kokkos?tab=License-1-ov-file has a valid Apache-2.0 license but is reported as failing OSPS-LE-02.01:
Expected Behavior
- Licenses with WITH exception clauses should be recognized by their base license ID (e.g., Apache-2.0 WITH LLVM-exception → Apache-2.0).
- NOASSERTION should be treated as a valid value and not flagged as an unrecognized license.
Problem
Projects with valid licenses that include SPDX WITH exception clauses (e.g., Apache-2.0 WITH LLVM-exception) are incorrectly failing the OSPS-LE-02.01 evaluation. The license expression is not being parsed correctly — the
WITH <exception>suffix is treated as part of the license ID, causing it to fail validation against the SPDX license list.Additionally,
NOASSERTION— a valid SPDX keyword — is being flagged as an invalid license instead of being skipped.Example
The https://github.com/kokkos/kokkos?tab=License-1-ov-file has a valid Apache-2.0 license but is reported as failing OSPS-LE-02.01:
Expected Behavior