feat(CSAF2.1): #199 add informative test 6.3.17

Author: rainer-exxcellent

README.md

@@ -481,6 +481,7 @@ export const informativeTest_6_3_8: DocumentTest
 export const informativeTest_6_3_9: DocumentTest
 export const informativeTest_6_3_10: DocumentTest
 export const informativeTest_6_3_11: DocumentTest
+export const informativeTest_6_3_17: DocumentTest
 ```
 
 [(back to top)](#bsi-csaf-validator-lib)
@@ -577,5 +578,8 @@ For the complete list of dependencies please take a look at [package.json](https
 - [undici](https://undici.nodejs.org)
 - [@js-joda/core](https://js-joda.github.io/js-joda/)
 - [@js-joda/timezone](https://js-joda.github.io/js-joda/)
+- [aboutcode licenses](https://scancode-licensedb.aboutcode.org/index.json)
+- [SPDX licenses](https://raw.githubusercontent.com/spdx/license-list-data/refs/heads/main/json/licenses.json)
+- [license-expressions](https://github.com/lkoskela/license-expressions)
 
 [(back to top)](#bsi-csaf-validator-lib)

csaf_2_1/informativeTests.js

@@ -11,3 +11,4 @@ export {
 } from '../informativeTests.js'
 export { informativeTest_6_3_1 } from './informativeTests/informativeTest_6_3_1.js'
 export { informativeTest_6_3_4 } from './informativeTests/informativeTest_6_3_4.js'
+export { informativeTest_6_3_17 } from './informativeTests/informativeTest_6_3_17.js'

csaf_2_1/informativeTests/informativeTest_6_3_17.js

@@ -0,0 +1,67 @@
+import Ajv from 'ajv/dist/jtd.js'
+
+import license_information from '../../lib/license/license_information.js'
+import { validate } from 'license-expressions'
+
+const ajv = new Ajv()
+
+const CONSIDERED_LICENSE_KEYS = new Set(
+  license_information.licenses
+    .filter((license) => !license.deprecated)
+    .map((license) => license.license_key)
+)
+
+const inputSchema = /** @type {const} */ ({
+  additionalProperties: true,
+  properties: {
+    document: {
+      additionalProperties: true,
+      properties: {
+        license_expression: {
+          type: 'string',
+        },
+      },
+    },
+  },
+})
+
+const validateInput = ajv.compile(inputSchema)
+
+/**
+ * @param {string} licenseToCheck
+ */
+export function checkLicense(licenseToCheck) {
+  // first do asimple check with aboutcode and spdx license ids
+  // then check whether the license is a valid SPDX license expression
+  return (
+    CONSIDERED_LICENSE_KEYS.has(licenseToCheck) ||
+    validate(licenseToCheck).valid
+  )
+}
+
+/**
+ * It MUST be tested that the all license identifiers and exceptions are listed either
+ * in the official SPDX license identifier list or AboutCode's "ScanCode LicenseDB".
+ * @param {unknown} doc
+ * @returns
+ */
+export function informativeTest_6_3_17(doc) {
+  const ctx = {
+    infos: /** @type {Array<{ message: string; instancePath: string }>} */ ([]),
+  }
+
+  if (!validateInput(doc)) {
+    return ctx
+  }
+
+  const licenseToCheck = doc.document.license_expression
+
+  if (!checkLicense(licenseToCheck)) {
+    ctx.infos.push({
+      instancePath: '/document/license_expression',
+      message: `Invalid license: '${licenseToCheck}'`,
+    })
+  }
+
+  return ctx
+}