feat: support package+license specific exclusions

__tests__/licenses.test.ts

@@ -244,7 +244,10 @@ test('it does not filter out changes that are on the exclusions list', async ()
   const changes: Changes = [pipChange, npmChange, rubyChange]
   const licensesConfig = {
     allow: ['BSD-3-Clause'],
-    licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
+    allowedDependenciesLicenses: [
+      'pkg:pypi/package-1@1.1.1',
+      'pkg:npm/reeuhq@1.0.2'
+    ]
   }
   const invalidLicenses = await getInvalidLicenseChanges(
     changes,
@@ -254,13 +257,16 @@ test('it does not filter out changes that are on the exclusions list', async ()
 })
 
 test('it does not fail when the packages dont have a valid PURL', async () => {
-  const emptyPurlChange = pipChange
+  const emptyPurlChange = {...pipChange}
   emptyPurlChange.package_url = ''
 
   const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
   const licensesConfig = {
     allow: ['BSD-3-Clause'],
-    licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
+    allowedDependenciesLicenses: [
+      'pkg:pypi/package-1@1.1.1',
+      'pkg:npm/reeuhq@1.0.2'
+    ]
   }
 
   const invalidLicenses = await getInvalidLicenseChanges(
@@ -274,7 +280,7 @@ test('it does filters out changes if they are not on the exclusions list', async
   const changes: Changes = [pipChange, npmChange, rubyChange]
   const licensesConfig = {
     allow: ['BSD-3-Clause'],
-    licenseExclusions: [
+    allowedDependenciesLicenses: [
       'pkg:pypi/notmypackage-1@1.1.1',
       'pkg:npm/alsonot@1.0.2'
     ]
@@ -290,6 +296,40 @@ test('it does filters out changes if they are not on the exclusions list', async
   expect(invalidLicenses.forbidden[1]).toBe(npmChange)
 })
 
+test('it does filter out changes that are on the exclusions list with license qualifier', async () => {
+  const changes: Changes = [pipChange, npmChange, rubyChange]
+  const licensesConfig = {
+    allow: ['BSD-3-Clause'],
+    // Will filter out pipChange as license matches
+    allowedDependenciesLicenses: [
+      'pkg:pypi/package-1@1.1.1?license=MIT',
+      'pkg:npm/reeuhq@1.0.2?license=MIT'
+    ]
+  }
+  const invalidLicenses = await getInvalidLicenseChanges(
+    changes,
+    licensesConfig
+  )
+  expect(invalidLicenses.forbidden.length).toEqual(0)
+})
+
+test('it does not filter out changes that are on the exclusions list with license qualifier', async () => {
+  const changes: Changes = [pipChange, npmChange, rubyChange]
+  const licensesConfig = {
+    allow: ['BSD-3-Clause'],
+    // Will not filter out pipChange as license does not match
+    allowedDependenciesLicenses: [
+      'pkg:pypi/package-1@1.1.1?license=Apache-2.0',
+      'pkg:npm/reeuhq@1.0.2'
+    ]
+  }
+  const invalidLicenses = await getInvalidLicenseChanges(
+    changes,
+    licensesConfig
+  )
+  expect(invalidLicenses.forbidden).toEqual([pipChange])
+})
+
 test('it does not fail if there is a license expression in the allow list', async () => {
   const changes: Changes = [
     {...npmChange, license: 'MIT AND Apache-2.0'},
@@ -342,24 +382,24 @@ describe('GH License API fallback', () => {
   })
 
   test('it does not call licenses API if the package is excluded', async () => {
-    const {unlicensed} = await getInvalidLicenseChanges([unlicensedChange], {
-      licenseExclusions: [
+    const result = await getInvalidLicenseChanges([unlicensedChange], {
+      allowedDependenciesLicenses: [
         'pkg:githubactions/foo-org/actions-repo/.github/workflows/some-action.yml'
       ]
     })
 
     expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
-    expect(unlicensed.length).toEqual(0)
+    expect(result.unlicensed.length).toEqual(0)
   })
 
   test('it checks namespaces when doing exclusions', async () => {
-    const {unlicensed} = await getInvalidLicenseChanges([unlicensedChange], {
-      licenseExclusions: [
+    const result = await getInvalidLicenseChanges([unlicensedChange], {
+      allowedDependenciesLicenses: [
         'pkg:githubactions/bar-org/actions-repo/.github/workflows/some-action.yml'
       ]
     })
 
     expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
-    expect(unlicensed.length).toEqual(1)
+    expect(result.unlicensed.length).toEqual(1)
   })
 })

__tests__/purl.test.ts

@@ -34,13 +34,14 @@ test('parsePURL returns a PURL with the correct values in the happy case', () =>
 test('parsePURL table test', () => {
   const examples = [
     {
-      purl: 'pkg:npm/@n4m3SPACE/Name@^1.2.3',
+      purl: 'pkg:npm/@n4m3SPACE/Name@^1.2.3?license=MIT&foo=bar',
       expected: {
         type: 'npm',
         namespace: '@n4m3SPACE',
         name: 'Name',
         version: '^1.2.3',
-        original: 'pkg:npm/@n4m3SPACE/Name@^1.2.3',
+        license: 'MIT',
+        original: 'pkg:npm/@n4m3SPACE/Name@^1.2.3?license=MIT&foo=bar',
         error: null
       }
     },
@@ -52,6 +53,7 @@ test('parsePURL table test', () => {
         namespace: 'gopkg.in',
         name: 'DataDog/dd-trace-go.v1',
         version: '1.63.1',
+        license: null,
         original: 'pkg:golang/gopkg.in/DataDog/dd-trace-go.v1@1.63.1',
         error: null
       }
@@ -64,6 +66,7 @@ test('parsePURL table test', () => {
         namespace: 'github.com',
         name: 'pelletier/go-toml/v2',
         version: null,
+        license: null,
         original: 'pkg:golang/github.com/pelletier/go-toml/v2',
         error: null
       }
@@ -75,6 +78,7 @@ test('parsePURL table test', () => {
         namespace: '@ns foo',
         name: 'n@me',
         version: '1./2.3',
+        license: null,
         original: 'pkg:npm/%40ns%20foo/n%40me@1.%2f2.3',
         error: null
       }
@@ -86,6 +90,7 @@ test('parsePURL table test', () => {
         namespace: null,
         name: 'name',
         version: 'version',
+        license: null,
         original: 'pkg:ecosystem/name@version',
         error: null
       }
@@ -97,6 +102,7 @@ test('parsePURL table test', () => {
         namespace: 'namespace',
         name: null,
         version: null,
+        license: null,
         original: 'pkg:npm/namespace/',
         error: null
       }
@@ -108,6 +114,7 @@ test('parsePURL table test', () => {
         namespace: null,
         name: 'name',
         version: null,
+        license: null,
         original: 'pkg:ecosystem/name',
         error: null
       }
@@ -119,6 +126,7 @@ test('parsePURL table test', () => {
         namespace: null,
         name: null,
         version: null,
+        license: null,
         original: 'pkg:/?',
         error: 'package-url must contain a type'
       }
@@ -130,6 +138,7 @@ test('parsePURL table test', () => {
         namespace: null,
         name: null,
         version: null,
+        license: null,
         original: 'pkg:ecosystem/#',
         error: 'package-url must contain a namespace or name'
       }
@@ -141,6 +150,7 @@ test('parsePURL table test', () => {
         namespace: null,
         name: 'name',
         version: 'version',
+        license: null,
         original: 'pkg:ecosystem/name@version#subpath?attributes=123',
         error: null
       }
@@ -152,6 +162,7 @@ test('parsePURL table test', () => {
         namespace: null,
         name: 'name',
         version: 'version',
+        license: null,
         original: 'pkg:ecosystem/name@version#subpath',
         error: null
       }
@@ -163,6 +174,7 @@ test('parsePURL table test', () => {
         namespace: 'namespace',
         name: 'name',
         version: 'version',
+        license: null,
         original: 'pkg:ecosystem/namespace/name@version?attributes',
         error: null
       }
@@ -174,9 +186,22 @@ test('parsePURL table test', () => {
         namespace: null,
         name: 'name',
         version: null,
+        license: null,
         original: 'pkg:ecosystem/name#subpath?attributes',
         error: null
       }
+    },
+    {
+      purl: 'pkg:ecosystem/name#subpath?license=MIT&foo=bar',
+      expected: {
+        type: 'ecosystem',
+        namespace: null,
+        name: 'name',
+        version: null,
+        license: 'MIT',
+        original: 'pkg:ecosystem/name#subpath?license=MIT&foo=bar',
+        error: null
+      }
     }
   ]
   for (const example of examples) {