License gate "could not parse SPDX expression" in CI
A license-policy tool (cargo-deny, REUSE, an SBOM validator, or a custom gate) failed to parse an SPDX license expression because it contains an unknown identifier, a bad operator, or malformed syntax, so it errored instead of evaluating the policy.
What this error means
The tool reports it could not parse the SPDX expression and points at the offending string, for example a lowercase or misspelled identifier, a stray slash, or a missing operator between two licenses.
error: could not parse license expression "MIT/Apache2":
unknown SPDX identifier "Apache2"; expected an operator (AND, OR, WITH)Common causes
A non-standard SPDX identifier
Strings like Apache2, BSD, or GPLv3 are not valid SPDX identifiers. The correct forms are Apache-2.0, a specific BSD variant, and GPL-3.0-only.
A malformed expression
Using a slash instead of an operator (for example MIT/Apache-2.0), or omitting AND/OR/WITH between licenses, produces an unparseable expression.
How to fix it
Use canonical SPDX syntax
- Replace informal names with exact SPDX identifiers.
- Join multiple licenses with AND / OR (and exceptions with WITH).
- Re-run the tool to confirm the expression parses.
# invalid: MIT/Apache2
# valid:
MIT OR Apache-2.0Validate against the SPDX license list
Check each identifier against the canonical SPDX list (they are case-sensitive) so the parser accepts them.
# example valid expressions
Apache-2.0 WITH LLVM-exception
GPL-2.0-or-later AND MITHow to prevent it
- Store license metadata as canonical SPDX identifiers everywhere.
- Validate SPDX expressions in review before they reach the policy gate.
- Prefer explicit
-only/-or-laterGPL forms over ambiguous names.