syncable_cli/analyzer/hadolint/rules/
dl3052.rs

1//! DL3052: Label `org.opencontainers.image.licenses` is not a valid SPDX expression
2//!
3//! The licenses label should contain a valid SPDX license identifier.
4
5use crate::analyzer::hadolint::parser::instruction::Instruction;
6use crate::analyzer::hadolint::rules::{SimpleRule, simple_rule};
7use crate::analyzer::hadolint::shell::ParsedShell;
8use crate::analyzer::hadolint::types::Severity;
9
10pub fn rule() -> SimpleRule<impl Fn(&Instruction, Option<&ParsedShell>) -> bool + Send + Sync> {
11    simple_rule(
12        "DL3052",
13        Severity::Warning,
14        "Label `org.opencontainers.image.licenses` is not a valid SPDX expression.",
15        |instr, _shell| match instr {
16            Instruction::Label(pairs) => {
17                for (key, value) in pairs {
18                    if key == "org.opencontainers.image.licenses"
19                        && (value.is_empty() || !is_valid_spdx(value))
20                    {
21                        return false;
22                    }
23                }
24                true
25            }
26            _ => true,
27        },
28    )
29}
30
31fn is_valid_spdx(license: &str) -> bool {
32    // Common SPDX license identifiers
33    let common_licenses = [
34        "MIT",
35        "Apache-2.0",
36        "GPL-2.0",
37        "GPL-2.0-only",
38        "GPL-2.0-or-later",
39        "GPL-3.0",
40        "GPL-3.0-only",
41        "GPL-3.0-or-later",
42        "BSD-2-Clause",
43        "BSD-3-Clause",
44        "ISC",
45        "MPL-2.0",
46        "LGPL-2.1",
47        "LGPL-2.1-only",
48        "LGPL-2.1-or-later",
49        "LGPL-3.0",
50        "LGPL-3.0-only",
51        "LGPL-3.0-or-later",
52        "AGPL-3.0",
53        "AGPL-3.0-only",
54        "AGPL-3.0-or-later",
55        "Unlicense",
56        "CC0-1.0",
57        "CC-BY-4.0",
58        "CC-BY-SA-4.0",
59        "WTFPL",
60        "Zlib",
61        "0BSD",
62        "EPL-1.0",
63        "EPL-2.0",
64        "EUPL-1.2",
65        "PostgreSQL",
66        "OFL-1.1",
67        "Artistic-2.0",
68        "BSL-1.0",
69        "CDDL-1.0",
70        "CDDL-1.1",
71        "CPL-1.0",
72    ];
73
74    // Check for common licenses (case-insensitive)
75    let license_upper = license.to_uppercase();
76
77    // Handle compound expressions (AND, OR, WITH)
78    let parts: Vec<&str> = license_upper
79        .split(['(', ')', ' '])
80        .filter(|s| !s.is_empty() && *s != "AND" && *s != "OR" && *s != "WITH")
81        .collect();
82
83    if parts.is_empty() {
84        return false;
85    }
86
87    parts
88        .iter()
89        .all(|part| common_licenses.iter().any(|l| l.to_uppercase() == *part))
90}
91
92#[cfg(test)]
93mod tests {
94    use super::*;
95    use crate::analyzer::hadolint::config::HadolintConfig;
96    use crate::analyzer::hadolint::lint::{LintResult, lint};
97
98    fn lint_dockerfile(content: &str) -> LintResult {
99        lint(content, &HadolintConfig::default())
100    }
101
102    #[test]
103    fn test_valid_spdx() {
104        let result =
105            lint_dockerfile("FROM ubuntu:20.04\nLABEL org.opencontainers.image.licenses=\"MIT\"");
106        assert!(!result.failures.iter().any(|f| f.code.as_str() == "DL3052"));
107    }
108
109    #[test]
110    fn test_valid_compound_spdx() {
111        let result = lint_dockerfile(
112            "FROM ubuntu:20.04\nLABEL org.opencontainers.image.licenses=\"MIT OR Apache-2.0\"",
113        );
114        assert!(!result.failures.iter().any(|f| f.code.as_str() == "DL3052"));
115    }
116
117    #[test]
118    fn test_invalid_spdx() {
119        let result = lint_dockerfile(
120            "FROM ubuntu:20.04\nLABEL org.opencontainers.image.licenses=\"NotALicense\"",
121        );
122        assert!(result.failures.iter().any(|f| f.code.as_str() == "DL3052"));
123    }
124}