Properly resolve licenses with "OR" expressions

[msalib]

Package	Version	License	Issue Type
ryu	1.0.16	Apache-2.0 OR BSL-1.0	Incompatible License

We reject the BSL-1.0 license, so I was confused why this Rust crate was getting rejected since it can be licensed under BSL-1.0 or Apache-2.0 which we accept.

[febuiles]

The SPDX expression parser we use is brittle (see https://github.com/actions/dependency-review-action/issues/263). I think moving to something like https://www.npmjs.com/package/@onebeyond/spdx-license-satisfies would provide a better experience and fix the issues with OR. We don't have cycles to test atm, but are happy to collaborate on community contributions.

[npushkarskii]

Hey there, hope this one won't slip through the cracks and be fixed at some point :) Thank you for handling this issue.

[febuiles]

@npushkarskii https://github.com/actions/dependency-review-action/pull/719 might need tweaks, but it fixes this bug. We hope it lands somewhere in the next week or two.

If you want to start testing it today and help us get feedback you can add uses: actions/dependency-review-action@change-spdx-parser in your worfklow file until the PR and the new version (probably v5) are merged/released.

[npushkarskii]

@febuiles only managed to see your comment now, sorry for the delay.

Thank you for all the info, my colleagues and I will try to play with the pre-release version you mentioned; if we get to it, I'll let you know about the results in this PR! Thank you again for your help.