[BUG] validity could not be determined for (MIT OR Apache-2.0) AND Unicode-3.0

[altendky]

Describe the bug

At a glance, (MIT OR Apache-2.0) AND Unicode-3.0 looks to me like a valid SPDX license but dependency-review-action is having trouble with it.

https://github.com/Chia-Network/clvm_tools_rs/actions/runs/13433337446/job/37529914688?pr=88

Run actions/dependency-review-action@v4
Vulnerabilities
Licenses
  Warning: 
  The validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses:
  Cargo.lock » [email protected] – License: (MIT OR Apache-2.0) AND Unicode-3.0
  wasm/Cargo.lock » [email protected] – License: (MIT OR Apache-2.0) AND Unicode-3.0
  Error: Dependency review could not detect the validity of all licenses.

It appears that the package is also setting this correctly.

https://github.com/dtolnay/unicode-ident/blob/1.0.17/Cargo.toml#L10

license = "(MIT OR Apache-2.0) AND Unicode-3.0"

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
The license is able to be processed and is considered valid.

Screenshots

Action version
What version of the action are you using in your workflow?

We are using @v4 and this ran two hours ago so it ought to be the latest v4.5.0 from November.

Note: if you're not running the latest release please try that first!

Examples
https://github.com/Chia-Network/clvm_tools_rs/actions/runs/13433337446/job/37529914688?pr=88
https://github.com/dtolnay/unicode-ident/blob/1.0.17/Cargo.toml#L10

Additional context
n/a

[jtomkiew-mng]

License expressions are still not implemented 😿 (see: #263, an issue from Sep 29, 2022)

[altendky]

I don't think they are entirely unsupported, but I've certainly run into various issues.

#719

The MIT license satisfies the expression MIT OR GPL-2.0, but it does not satisfy MIT AND GPL-2.0.