ExtractLicenses adds invalid "+" to -or-later SPDX license IDs

[ma-ble]

Hi

while using ExtractLicenses(), I noticed that license identifiers like GPL-2.0-or-later are returned with an added + suffix, resulting in:

["GPL-2.0-or-later+"]

This is surprising, as GPL-2.0-or-later+ is not a valid SPDX license identifier according to the official SPDX license list: https://spdx.org/licenses/
The valid identifier is simply GPL-2.0-or-later.

Looking at the parser code, it seems this behavior is intentional:

if strings.HasSuffix(token.value, "-or-later") { lic.hasPlus = true }

Later, licenseString() appends the + if hasPlus is true.

Could you share the reasoning behind appending a + to -or-later license identifiers, even though the -or-later suffix already conveys the “later versions allowed” semantics defined by SPDX?

Is the + intended as an internal marker for multi-version compatibility (e.g. for use in compatibility checks), and has it unintentionally surfaced in public-facing functions like ExtractLicenses()?

[elrayle]

Thanks for bringing this up. I had a minute to look into this.

SPDX 2.3 allows of use of the "+" operator.. But of course, what you discovered where it is parsing to both is a bug.

Long term, there is an issue to move to SPDX 3.0 which does not allow for the "+" operator.

Unfortunately, the change to 3.0 is a major update that represents almost a complete rewrite. It is not on my set of near term tasks. I will see if I can add a fix for the bug you identified.