feat(spdx): Report detected root licenses for packages

sschuberth · sschuberth · commit 6830e6a2814d · 2024-10-28T12:32:25.000+01:00
The SPDX `licenseDeclared` field for a package [1] is not a declared license in the ORT sense (which means that it must originate from package metadata only), but should list any "licenses that have been declared by the authors of the package" in any way, including as part of a `LICENSE` file, which in the ORT sense would be a detected license. To account for that, also use licenses detected in root license files as licenses "declared" for the package. This solves the concrete case for Go packages that so far did not have any `licenseDeclared` set, as they are just pointers to Git repositories which have no metadata associated. [1]: https://spdx.github.io/spdx-spec/v2.2.2/package-information/#715-declared-license-field Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
diff --git a/plugins/reporters/spdx/src/main/kotlin/Extensions.kt b/plugins/reporters/spdx/src/main/kotlin/Extensions.kt
@@ -35,15 +35,16 @@ import org.ossreviewtoolkit.model.ScanResult
 import org.ossreviewtoolkit.model.SourceCodeOrigin
 import org.ossreviewtoolkit.model.VcsInfo
 import org.ossreviewtoolkit.model.VcsType
+import org.ossreviewtoolkit.model.config.LicenseFilePatterns
 import org.ossreviewtoolkit.model.licenses.Findings
 import org.ossreviewtoolkit.model.licenses.LicenseInfoResolver
 import org.ossreviewtoolkit.model.licenses.LicenseView
 import org.ossreviewtoolkit.model.licenses.ResolvedLicenseInfo
 import org.ossreviewtoolkit.model.utils.FindingCurationMatcher
 import org.ossreviewtoolkit.model.utils.prependedPath
 import org.ossreviewtoolkit.reporter.LicenseTextProvider
+import org.ossreviewtoolkit.utils.common.FileMatcher
 import org.ossreviewtoolkit.utils.common.replaceCredentialsInUri
-import org.ossreviewtoolkit.utils.ort.ProcessedDeclaredLicense
 import org.ossreviewtoolkit.utils.spdx.SpdxConstants
 import org.ossreviewtoolkit.utils.spdx.SpdxExpression
 import org.ossreviewtoolkit.utils.spdx.SpdxExpression.Strictness
@@ -56,7 +57,6 @@ import org.ossreviewtoolkit.utils.spdx.model.SpdxExtractedLicenseInfo
 import org.ossreviewtoolkit.utils.spdx.model.SpdxFile
 import org.ossreviewtoolkit.utils.spdx.model.SpdxPackage
 import org.ossreviewtoolkit.utils.spdx.model.SpdxPackageVerificationCode
-import org.ossreviewtoolkit.utils.spdx.toSpdx
 import org.ossreviewtoolkit.utils.spdx.toSpdxId
 
 /**
@@ -155,6 +155,20 @@ internal fun Package.toSpdxPackage(
         .filterExcluded()
         .filterValid(Strictness.ALLOW_DEPRECATED)
 
+    val declaredPackageLicenses = resolvedLicenseExpressions.filter(LicenseView.ONLY_DECLARED)
+
+    val patterns = LicenseFilePatterns.getInstance()
+    val detectedPackageLicenses = resolvedLicenseExpressions.filter { licenseInfo ->
+        licenseInfo.locations.any {
+            FileMatcher.match(patterns.allLicenseFilenames, it.location.path, ignoreCase = true)
+        }
+    }
+
+    val foundPackageLicenses = (declaredPackageLicenses + detectedPackageLicenses)
+        .map { it.license }
+        .reduceOrNull(SpdxExpression::and)
+        .nullOrBlankToSpdxNoassertionOrNone()
+
     return SpdxPackage(
         spdxId = id.toSpdxId(type),
         checksums = when (type) {
@@ -179,7 +193,7 @@ internal fun Package.toSpdxPackage(
             SpdxPackageType.VCS_PACKAGE -> SpdxConstants.NOASSERTION
             else -> concludedLicense.nullOrBlankToSpdxNoassertionOrNone()
         },
-        licenseDeclared = declaredLicensesProcessed.toSpdxDeclaredLicense(),
+        licenseDeclared = foundPackageLicenses,
         licenseInfoFromFiles = if (packageVerificationCode == null) {
             emptyList()
         } else {
@@ -210,25 +224,6 @@ private fun OrtResult.getPackageVerificationCode(id: Identifier, type: SpdxPacka
         calculatePackageVerificationCode(fileList.files.map { it.sha1 }.asSequence())
     }
 
-/**
- * Convert processed declared licenses to SPDX. Unmapped licenses are represented as `NOASSERTION`.
- */
-private fun ProcessedDeclaredLicense.toSpdxDeclaredLicense(): String =
-    when {
-        // If there are unmapped licenses, represent this by adding NOASSERTION.
-        unmapped.isNotEmpty() -> {
-            spdxExpression?.let {
-                if (SpdxConstants.NOASSERTION !in it.licenses()) {
-                    (it and SpdxConstants.NOASSERTION.toSpdx()).toString()
-                } else {
-                    it.toString()
-                }
-            } ?: SpdxConstants.NOASSERTION
-        }
-
-        else -> spdxExpression.nullOrBlankToSpdxNoassertionOrNone()
-    }
-
 /**
  * Use [licenseTextProvider] to add the license texts for all packages to the [SpdxDocument].
  */
