Upgrade to SPDX License 3.0 and handle deprecations more gracefully, fixes #6951

composer.lock

@@ -126,23 +126,23 @@
         },
         {
             "name": "composer/spdx-licenses",
-            "version": "1.1.6",
+            "version": "1.2.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/composer/spdx-licenses.git",
-                "reference": "2603a0d7ddc00a015deb576fa5297ca43dee6b1c"
+                "reference": "2d899e9b33023c631854f36c39ef9f8317a7ab33"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/composer/spdx-licenses/zipball/2603a0d7ddc00a015deb576fa5297ca43dee6b1c",
-                "reference": "2603a0d7ddc00a015deb576fa5297ca43dee6b1c",
+                "url": "https://api.github.com/repos/composer/spdx-licenses/zipball/2d899e9b33023c631854f36c39ef9f8317a7ab33",
+                "reference": "2d899e9b33023c631854f36c39ef9f8317a7ab33",
                 "shasum": ""
             },
             "require": {
                 "php": "^5.3.2 || ^7.0"
             },
             "require-dev": {
-                "phpunit/phpunit": "^4.5 || ^5.0.5",
+                "phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5",
                 "phpunit/phpunit-mock-objects": "2.3.0 || ^3.0"
             },
             "type": "library",
@@ -183,7 +183,7 @@
                 "spdx",
                 "validator"
             ],
-            "time": "2017-04-03T19:08:52+00:00"
+            "time": "2018-01-03T16:37:06+00:00"
         },
         {
             "name": "justinrainbow/json-schema",

src/Composer/Package/Loader/ValidatingArrayLoader.php

@@ -17,6 +17,7 @@ use Composer\Package\BasePackage;
 use Composer\Semver\Constraint\Constraint;
 use Composer\Package\Version\VersionParser;
 use Composer\Repository\PlatformRepository;
+use Composer\Spdx\SpdxLicenses;
 
 /**
  * @author Jordi Boggiano <j.boggiano@seld.be>
@@ -97,6 +98,48 @@ class ValidatingArrayLoader implements LoaderInterface
             } else {
                 $this->validateFlatArray('license', '[A-Za-z0-9+. ()-]+');
             }
+
+            if (is_array($this->config['license']) || is_string($this->config['license'])) {
+                $licenses = (array) $this->config['license'];
+
+                // strip proprietary since it's not a valid SPDX identifier, but is accepted by composer
+                foreach ($licenses as $key => $license) {
+                    if ('proprietary' === $license) {
+                        unset($licenses[$key]);
+                    }
+                }
+
+                $licenseValidator = new SpdxLicenses();
+                if (count($licenses) === 1 && !$licenseValidator->validate($licenses) && $licenseValidator->validate(trim($licenses[0]))) {
+                    $this->warnings[] = sprintf(
+                        'License %s must not contain extra spaces, make sure to trim it.',
+                        json_encode($this->config['license'])
+                    );
+                } elseif (array() !== $licenses && !$licenseValidator->validate($licenses)) {
+                    $this->warnings[] = sprintf(
+                        'License %s is not a valid SPDX license identifier, see https://spdx.org/licenses/ if you use an open license.' . PHP_EOL .
+                        'If the software is closed-source, you may use "proprietary" as license.',
+                        json_encode($this->config['license'])
+                    );
+                } else {
+                    foreach ($licenses as $license) {
+                        $spdxLicense = $licenseValidator->getLicenseByIdentifier($license);
+                        if ($spdxLicense && $spdxLicense[3]) {
+                            if (preg_match('{^[AL]?GPL-[123](\.[01])?\+?$}i', $license)) {
+                                $this->warnings[] = sprintf(
+                                    'License "%s" is a deprecated SPDX license identifier, use "'.$license.'-only" or "'.$license.'-or-later" instead',
+                                    $license
+                                );
+                            } else {
+                                $this->warnings[] = sprintf(
+                                    'License "%s" is a deprecated SPDX license identifier, see https://spdx.org/licenses/',
+                                    $license
+                                );
+                            }
+                        }
+                    }
+                }
+            }
         }
 
         $this->validateString('time');

src/Composer/Util/ConfigValidator.php

@@ -18,7 +18,6 @@ use Composer\Package\Loader\InvalidPackageException;
 use Composer\Json\JsonValidationException;
 use Composer\IO\IOInterface;
 use Composer\Json\JsonFile;
-use Composer\Spdx\SpdxLicenses;
 
 /**
  * Validates a composer configuration.
@@ -73,31 +72,7 @@ class ConfigValidator
         }
 
         // validate actual data
-        if (!empty($manifest['license'])) {
-            // strip proprietary since it's not a valid SPDX identifier, but is accepted by composer
-            if (is_array($manifest['license'])) {
-                foreach ($manifest['license'] as $key => $license) {
-                    if ('proprietary' === $license) {
-                        unset($manifest['license'][$key]);
-                    }
-                }
-            }
-
-            $licenseValidator = new SpdxLicenses();
-            if ('proprietary' !== $manifest['license'] && array() !== $manifest['license'] && !$licenseValidator->validate($manifest['license']) && $licenseValidator->validate(trim($manifest['license']))) {
-                $warnings[] = sprintf(
-                    'License %s must not contain extra spaces, make sure to trim it.',
-                    json_encode($manifest['license'])
-                );
-            } elseif ('proprietary' !== $manifest['license'] && array() !== $manifest['license'] && !$licenseValidator->validate($manifest['license'])) {
-                $warnings[] = sprintf(
-                    'License %s is not a valid SPDX license identifier, see https://spdx.org/licenses/ if you use an open license.'
-                    . PHP_EOL .
-                    'If the software is closed-source, you may use "proprietary" as license.',
-                    json_encode($manifest['license'])
-                );
-            }
-        } else {
+        if (empty($manifest['license'])) {
             $warnings[] = 'No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.';
         }