fix(spdx-utils): Make license choice matching order-dependent

cow-lang · sschuberth · sschuberth · commit 63242d9fb460 · 2025-11-19T17:53:10.000+01:00
ORT had an architectural mismatch where `SpdxCompoundExpression` used order-invariant equality ("MIT OR Apache-2.0" == "Apache-2.0 OR MIT"), but the license choice matching used order-dependent matching based on strings. That is, if the expression contained "MIT OR Apache-2.0" but the user gave "Apache-2.0 OR MIT", the string match failed, triggering a fallback that rebuilt the expression by OR-ing all valid choices. With multiple license choices, this caused exponential expression growth (> 1000 characters in length). This solution replaces the string-based algorithm with set-based operations in `replaceSubexpressionWithChoice()`: 1. Decompose expressions into a set using `validChoices()`. 2. Remove dismissed choices from the set (no string operations). 3. Rebuild from remaining choices with controlled reduction. 4. Only recurse to AND-children if the sub-expression is actually contained in a child to prevent inappropriate recursion for the entire expression or derived sub-expression choices. Since sets are order-invariant ({A,B} == {B,A}), both orderings execute identical code paths, guaranteeing deterministic behavior. Fixes #10888. Signed-off-by: Antoni <168914426+cow-lang@users.noreply.github.com> Co-authored-by: Sebastian Schuberth <sebastian@doubleopen.org>
diff --git a/utils/spdx/src/main/kotlin/SpdxExpression.kt b/utils/spdx/src/main/kotlin/SpdxExpression.kt
@@ -343,20 +343,44 @@ class SpdxCompoundExpression(
     }
 
     private fun replaceSubexpressionWithChoice(subExpression: SpdxExpression, choice: SpdxExpression): SpdxExpression {
-        val expressionString = toString()
-        val subExpressionString = subExpression.toString()
-        val choiceString = choice.toString()
-
-        return if (subExpressionString in expressionString) {
-            expressionString.replace(subExpressionString, choiceString).toSpdx()
-        } else {
-            val dismissedLicense = subExpression.validChoices().first { it != choice }
-            val unchosenLicenses = validChoices().filter { it != dismissedLicense }
-
-            requireNotNull(unchosenLicenses.toExpression(SpdxOperator.OR)) {
-                "No licenses left after applying choice $choice to $subExpression."
-            }
+        // If the operator is AND, then there is no choice at this level, but try with the children if they contain the
+        // sub-expression. Also, if the sub-expression is the whole expression, no recursive application of the choice
+        // is needed, as it will be handled by the logic below.
+        if (
+            operator == SpdxOperator.AND && subExpression != this && children.any { it.isSubExpression(subExpression) }
+        ) {
+            // Reconstruct this AND-expression with all children having the subexpression replaced with the choice.
+            return SpdxCompoundExpression(
+                SpdxOperator.AND,
+                children.map {
+                    when {
+                        it is SpdxCompoundExpression -> it.replaceSubexpressionWithChoice(subExpression, choice)
+                        else -> it
+                    }
+                }
+            )
         }
+
+        // The basic idea of the following algorithm is that any expression can be represented as a disjunction of the
+        // choices it offers, and that any expressions that offer exactly the same choices are equal. So an expression
+        // is first "decomposed" into its choices, then dismissed choices (unchosen expressions) are removed, and the
+        // remaining expressions are recomped with the OR-operand.
+
+        val choices = validChoices().toMutableSet()
+        val subExpressionChoices = subExpression.validChoices()
+        val dismissedChoices = subExpressionChoices - choice.validChoices()
+
+        // While the sub-expression is still contained in this expression...
+        while (choices.containsAll(subExpressionChoices)) {
+            // ... remove all unchosen expressions.
+            choices.removeAll(dismissedChoices)
+        }
+
+        require(choices.isNotEmpty()) {
+            "No licenses left after applying choice $choice to $subExpression."
+        }
+
+        return choices.reduce(SpdxExpression::or)
     }
 
     override fun isSubExpression(subExpression: SpdxExpression?): Boolean =
diff --git a/utils/spdx/src/test/kotlin/SpdxExpressionChoiceTest.kt b/utils/spdx/src/test/kotlin/SpdxExpressionChoiceTest.kt
@@ -123,6 +123,17 @@ class SpdxExpressionChoiceTest : WordSpec({
 
             shouldThrow<InvalidSubExpressionException> { expression.applyChoice(choice, subExpression) }
         }
+
+        "resolve the choice for a sub-expression in a compound expression" {
+            val expression = "(CDDL-1.1 OR GPL-2.0-only) AND (CDDL-1.1 OR GPL-2.0-only WITH Classpath-exception-2.0)"
+                .toSpdx()
+            val choice = "CDDL-1.1".toSpdx()
+            val subExpression = "CDDL-1.1 OR GPL-2.0-only".toSpdx()
+
+            val result = expression.applyChoice(choice, subExpression)
+
+            result shouldBe "CDDL-1.1 AND (CDDL-1.1 OR GPL-2.0-only WITH Classpath-exception-2.0)".toSpdx()
+        }
     }
 
     "applyChoices()" should {
@@ -199,6 +210,33 @@ class SpdxExpressionChoiceTest : WordSpec({
 
             result shouldBe "a".toSpdx()
         }
+
+        "apply choices regardless of license order in an OR-expression" {
+            val expression = "(GPL-2.0-only OR MIT) AND Apache-2.0".toSpdx()
+            val choicesGivenGplOrMit = listOf(SpdxLicenseChoice("GPL-2.0-only OR MIT".toSpdx(), "MIT".toSpdx()))
+            val choicesGivenMitOrGpl = listOf(SpdxLicenseChoice("MIT OR GPL-2.0-only".toSpdx(), "MIT".toSpdx()))
+
+            val resultGivenGplOrMit = expression.applyChoices(choicesGivenGplOrMit)
+            val resultGivenMitOrGpl = expression.applyChoices(choicesGivenMitOrGpl)
+
+            resultGivenGplOrMit shouldBe "MIT AND Apache-2.0".toSpdx()
+            resultGivenMitOrGpl shouldBe "MIT AND Apache-2.0".toSpdx()
+        }
+
+        "resolve the choice for a sub-expression in a compound expression" {
+            // This test ensures that when applying a choice to a sub-expression that appears multiple times,
+            // only the matching occurrence is replaced, not similar-looking expressions with WITH-operands.
+            // This prevents the over-simplification bug where string replacement would affect too much.
+            val expression = "(CDDL-1.1 OR GPL-2.0-only) AND (CDDL-1.1 OR GPL-2.0-only WITH Classpath-exception-2.0)"
+                .toSpdx()
+            val choices = listOf(SpdxLicenseChoice("CDDL-1.1 OR GPL-2.0-only".toSpdx(), "CDDL-1.1".toSpdx()))
+
+            val result = expression.applyChoices(choices)
+
+            // The second OR-expression should remain unchanged because it has a WITH-operand and thus does not exactly
+            // match the sub-expression despite containing a sub-string of it.
+            result shouldBe "CDDL-1.1 AND (CDDL-1.1 OR GPL-2.0-only WITH Classpath-exception-2.0)".toSpdx()
+        }
     }
 
     "isSubExpression()" should {
