From c12804d6b53a9d81c255f1fd37efabf102c261c9 Mon Sep 17 00:00:00 2001
From: Frank Viernau <frank_viernau@epam.com>
Date: Fri, 24 May 2024 11:33:53 +0200
Subject: [PATCH] feat(model)!: Stop silently ignoring invalid declared license
 mappings

Previously, `PackageCuration.apply()` silently ignored declared license
mapping entries with invalid SPDX expressions. For example, if one
accidentally omits the `LicenseRef-` prefix, the mapping is just
silently ignored.

Add a check that all values in the `Map` are valid SPDX expression into
the constructor, to fail as early as possible. When used via a
`FilePackageCurationProvider`, ORT now fails with the error message
pointing to the problematic curation file path.

Fixes: #7828.

Signed-off-by: Frank Viernau <frank_viernau@epam.com>
---
 model/src/main/kotlin/PackageCurationData.kt | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/model/src/main/kotlin/PackageCurationData.kt b/model/src/main/kotlin/PackageCurationData.kt
index 9132f1c72d761..ea2524c64f614 100644
--- a/model/src/main/kotlin/PackageCurationData.kt
+++ b/model/src/main/kotlin/PackageCurationData.kt
@@ -24,6 +24,8 @@ import com.fasterxml.jackson.annotation.JsonInclude
 import org.ossreviewtoolkit.utils.common.zip
 import org.ossreviewtoolkit.utils.ort.DeclaredLicenseProcessor
 import org.ossreviewtoolkit.utils.spdx.SpdxExpression
+import org.ossreviewtoolkit.utils.spdx.SpdxExpression.Strictness.ALLOW_DEPRECATED
+import org.ossreviewtoolkit.utils.spdx.SpdxExpression.Strictness.ALLOW_LICENSEREF_EXCEPTIONS
 
 /**
  * This class contains curation data for a package. It is used to amend the automatically detected metadata for a
@@ -108,6 +110,14 @@ data class PackageCurationData(
     @JsonInclude(JsonInclude.Include.NON_NULL)
     val sourceCodeOrigins: List<SourceCodeOrigin>? = null
 ) {
+    init {
+        declaredLicenseMapping.values.forEach { spdxExpression ->
+            require(listOf(ALLOW_DEPRECATED, ALLOW_LICENSEREF_EXCEPTIONS).any { spdxExpression.isValid(it) }) {
+                "The value '$spdxExpression' within the declared license mapping is not a valid SPDX expression."
+            }
+        }
+    }
+
     /**
      * Apply this [PackageCuration] to [targetPackage] by overriding all values of [targetPackage] with non-null values
      * of this [PackageCurationData], and return the resulting [CuratedPackage].