feat: NuGet license file support + license expression fixes#1076
Merged
Conversation
Signed-off-by: Marius Thesing <marius.thesing@gmail.com> Signed-off-by: Michael Tsfoni <80639729+mtsfoni@users.noreply.github.com>
Adds --include-license-text CLI option that controls whether license file contents are embedded as base64 in the BOM. Fixes null-URL stub emission for packages with no license URL. aka.ms/deprecateLicenseUrl guard still missing (1 unit test + 1 E2E test expected to fail). Signed-off-by: Michael Tsfoni <80639729+mtsfoni@users.noreply.github.com>
… file support - Skip https://aka.ms/deprecateLicenseUrl stub URL in both the GitHub and no-GitHub code paths to avoid spurious API calls and incorrect license nodes (NuGet auto-injects this URL for old-client compat when packing <license type="file"> packages) - Add unit test covering the GitHub-path guard - Update docs/license-resolution.md Phase 4 description - Add [Unreleased] CHANGELOG entries for license file support and fixes Signed-off-by: Michael Tsfoni <80639729+mtsfoni@users.noreply.github.com>
Signed-off-by: Lakshya Jain <lakshyajain1995@gmail.com> Signed-off-by: Michael Tsfoni <80639729+mtsfoni@users.noreply.github.com>
Signed-off-by: Michael Tsfoni <80639729+mtsfoni@users.noreply.github.com>
mtsfoni
force-pushed
the
feature/nuget-license-files
branch
from
c0a647d to
85cc562
Compare
- Remove spurious 'Unknown - See URL' license nodes for packages with no license declared (was valid per CycloneDX spec but semantically incorrect - emitting fabricated data) - Reflects new behaviour introduced by nuget license file support Signed-off-by: Michael Tsfoni <80639729+mtsfoni@users.noreply.github.com>
Signed-off-by: Michael Tsfoni <80639729+mtsfoni@users.noreply.github.com>
mtsfoni
added a commit
that referenced
this pull request
Apr 26, 2026
…ling changes Master PR #1076 (feature/nuget-license-files) refactored license emission so that packages with no licenseUrl/expression no longer emit empty <licenses><name>Unknown - See URL</name></licenses> blocks. Regenerate the ConditionalPackageSnapshotTests verified files against current master to match. Signed-off-by: Michael Tsfoni <80639729+mtsfoni@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds proper support for NuGet packages that declare their license as a file (rather than a URL or SPDX expression), and fixes two related issues in license handling.
Closes #915. Supersedes #1011.
Changes
Added
<license type="file">support — when--include-license-textis specified, the license file content is embedded as base64-encoded text in the BOM. Without the flag the license is detected but not embedded.Fixed
aka.ms/deprecateLicenseUrlstub URL — NuGet auto-injectshttps://aka.ms/deprecateLicenseUrlinto<licenseUrl>for packages packed with<license type="file">for old-client compatibility. This stub is now ignored in both the GitHub and no-GitHub code paths rather than being emitted as a bogus license entry. See NuGet packaging spec.UNLICENSEDemitted as SPDX id (fixes Nuget UNLICENSED License Expression Produces Invalid File #915, from Fix #915: handle UNLICENSED in NuGet license expressions #1004) —UNLICENSEDis a NuGet-specific token and not a valid SPDX identifier. It is now emitted aslicense.nameinstead oflicense.id.<licenseUrl>no longer produce a spuriousLicense { Name="Unknown - See URL", Url=null }node. Note:name+urlis valid per the CycloneDX spec (namesatisfies the required id/name choice,urlis optional), but emitting this for packages with no license declared at all is semantically incorrect — it is fabricated data. Packages with a real, non-stub licenseUrl still getUnknown - See URLemitted as before.Notes
expression + licenseUrlas invalid at pack time, so real packages cannot have that combination. Theaka.msguard above handles the real-world equivalent.