Skip to content
Latchkey

License gate "could not parse SPDX expression" in CI

A license-policy tool (cargo-deny, REUSE, an SBOM validator, or a custom gate) failed to parse an SPDX license expression because it contains an unknown identifier, a bad operator, or malformed syntax, so it errored instead of evaluating the policy.

What this error means

The tool reports it could not parse the SPDX expression and points at the offending string, for example a lowercase or misspelled identifier, a stray slash, or a missing operator between two licenses.

Terminal
error: could not parse license expression "MIT/Apache2":
  unknown SPDX identifier "Apache2"; expected an operator (AND, OR, WITH)

Common causes

A non-standard SPDX identifier

Strings like Apache2, BSD, or GPLv3 are not valid SPDX identifiers. The correct forms are Apache-2.0, a specific BSD variant, and GPL-3.0-only.

A malformed expression

Using a slash instead of an operator (for example MIT/Apache-2.0), or omitting AND/OR/WITH between licenses, produces an unparseable expression.

How to fix it

Use canonical SPDX syntax

  1. Replace informal names with exact SPDX identifiers.
  2. Join multiple licenses with AND / OR (and exceptions with WITH).
  3. Re-run the tool to confirm the expression parses.
SPDX expression
# invalid:  MIT/Apache2
# valid:
MIT OR Apache-2.0

Validate against the SPDX license list

Check each identifier against the canonical SPDX list (they are case-sensitive) so the parser accepts them.

SPDX expression
# example valid expressions
Apache-2.0 WITH LLVM-exception
GPL-2.0-or-later AND MIT

How to prevent it

  • Store license metadata as canonical SPDX identifiers everywhere.
  • Validate SPDX expressions in review before they reach the policy gate.
  • Prefer explicit -only / -or-later GPL forms over ambiguous names.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →