mypy has invalid SPDX license definitions

[matroscoe]

Bug Report

We are unable to leverage the "dependency-review-action" tooling provided by GitHub to determine if mypy meets our license needs.

To Reproduce

Run dependabot and the dependency check functionality.

Expected Behavior

The mypy license to be defined in a SPDX compatible manner so it is easier to prove to management/it security that the licenses are not an issue to use.

Actual Behavior

The dependency_review Action is unable to determine how mypy is licensed.

Run actions/dependency-review-action@v3
Dependency review did not detect any denied packages
Vulnerabilities
Licenses
  Warning: 
  The validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses:
  poetry.lock » mypy@1.5.1 – License: MIT AND NOASSERTION AND Python-2.0
  Error: Dependency review could not detect the validity of all licenses.

Your Environment

• Mypy version used: 1.5.1
• Mypy command-line flags: N/A
• Mypy configuration options from mypy.ini (and other config files): N/A
• Python version used: N/A (3.11.5/6)

[matroscoe]

@ilevkivskyi was the intent of the fix to remove the tools ability to identify the license?

[sobolevn]

Can you please be more specific? What happened? What did you try? What did you expect to happen?

[matroscoe]

The same status check provided by github "dependency-review-action" ran, now instead of not being able to figure out which license applies to mypy it thinks mypy has no license that should be followed at all. I would have expected the tool to report MIT by the changes made in the linked PR.

[sobolevn]

The screenshot says that you used 1.6.0, is that true?
I don't think that this commit even made it to 1.6.0 release: https://github.com/python/mypy/tree/release-1.6

Can you please try the main branch?

[matroscoe]

that is weird I did use the 1.6.0 build from pypi. So something happened from 1.5.0/1.5.1 to 1.6.0 that made it so that the mypy license can no longer be parsed by SPDX license scanners. I will try a build in a few minutes that runs again main from github and post the scan results.

[matroscoe]

when using this as the reference for mypy in my pyproject.toml

mypy = { git = "https://github.com/python/mypy.git" }

I get this from the dependency-review action it doesn't state what the license is but it is no longer stating no license found.

[sobolevn]

This still does not look correct to me, master branch has 1.7.0+dev version (not 1.6.0):

mypy/mypy/version.py

Line 11 in 72605dc

__version__ = "1.7.0+dev"

[matroscoe]

This still does not look correct to me, master branch has 1.7.0+dev version (not 1.6.0):

mypy/mypy/version.py

Line 11 in 72605dc

__version__ = "1.7.0+dev"

This is my lock file (poetry.lock) that is committed and what the tool says it is running its check against, It seems to waiver back and forth between not detecting mypy or thinking it is 1.6.0:

[[package]]
name = "mypy"
version = "1.7.0+dev.2e52e98fd2873775a58616c097e93c96f58fc991"
description = "Optional static typing for Python"
optional = false
python-versions = ">=3.8"
files = []
develop = false

[package.dependencies]
mypy_extensions = ">=1.0.0"
typing_extensions = ">=4.1.0"

[package.extras]
dmypy = ["psutil (>=4.0)"]
install-types = ["pip"]
mypyc = ["setuptools (>=50)"]
reports = ["lxml"]

[package.source]
type = "git"
url = "https://github.com/python/mypy.git"
reference = "master"
resolved_reference = "2e52e98fd2873775a58616c097e93c96f58fc991"