Pip: Add a sanity check for a setup.py's license field length

sschuberth · sschuberth · commit 8940a6f46492 · 2021-07-09T12:56:59.000+02:00
The field is specified to be a "short string" which is "a single line of text, not more than 200 characters" [1]. Respect that limit, which also filters out cases where people add full license texts to the field. [1] https://docs.python.org/3/distutils/setupscript.html#additional-meta-data Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
diff --git a/analyzer/src/main/kotlin/managers/Pip.kt b/analyzer/src/main/kotlin/managers/Pip.kt
@@ -170,6 +170,8 @@ class Pip(
     }
 
     companion object {
+        private const val SHORT_STRING_MAX_CHARS = 200
+
         private val INSTALL_OPTIONS = arrayOf(
             "--no-warn-conflicts",
             "--prefer-binary"
@@ -437,7 +439,9 @@ class Pip(
     }
 
     private fun getLicenseFromLicenseField(value: String?): String? {
-        if (value.isNullOrBlank() || value == "UNKNOWN" || "\n" in value) return null
+        if (value.isNullOrBlank() || value == "UNKNOWN" || value.length > SHORT_STRING_MAX_CHARS || "\n" in value) {
+            return null
+        }
 
         // Apply a work-around for projects that declare licenses in classifier-syntax in the license field.
         return getLicenseFromClassifier(value) ?: value
