Discard allow list entries that are not SPDX IDs

The allow-licenses list is expected (and documented) to be a list of
SPDX license IDs (LicenseRefs are also valid). If someone puts an
expression in the list (e.g. "GPL-3.0-only OR MIT"), it should be
discarded so that the whole list does not become invalid.

Fixes #907

Author: dangoor

__tests__/licenses.test.ts

@@ -290,6 +290,19 @@ test('it does filters out changes if they are not on the exclusions list', async
   expect(invalidLicenses.forbidden[1]).toBe(npmChange)
 })
 
+test('it does not fail if there is a license expression in the allow list', async () => {
+  const changes: Changes = [
+    {...npmChange, license: 'MIT AND Apache-2.0'},
+    {...rubyChange, license: 'BSD-3-Clause'}
+  ]
+
+  const {forbidden} = await getInvalidLicenseChanges(changes, {
+    allow: ['BSD-3-Clause', 'MIT AND Apache-2.0', 'MIT', 'Apache-2.0']
+  })
+
+  expect(forbidden.length).toEqual(0)
+})
+
 describe('GH License API fallback', () => {
   test('it calls licenses endpoint if atleast one of the changes has null license and valid source_repository_url', async () => {
     const nullLicenseChange = {

dist/index.js

@@ -29,7 +29,16 @@ export async function getInvalidLicenseChanges(
     licenseExclusions?: string[]
   }
 ): Promise<InvalidLicenseChanges> {
-  const {allow, deny} = licenses
+  const deny = licenses.deny
+  let allow = licenses.allow
+
+  // Filter out elements of the allow list that include AND
+  // or OR because the list should be simple license IDs and
+  // not expressions.
+  allow = allow?.filter(license => {
+    return !license.includes(' AND ') && !license.includes(' OR ')
+  })
+
   const licenseExclusions = licenses.licenseExclusions?.map(
     (pkgUrl: string) => {
       return parsePURL(pkgUrl)