Skip to content

Also report detected main licenses as part of SPDX's licenseDeclared field #9301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 5, 2024
Merged

Also report detected main licenses as part of SPDX's licenseDeclared field #9301

merged 5 commits into from
Nov 5, 2024

Conversation

sschuberth
Copy link
Member

@sschuberth sschuberth commented Oct 17, 2024
edited
Loading

Please have a look at the individual commit messages for the details.

Things to note:

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 17, 2024
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 17, 2024
View reviewed changes
@codecov Codecov
Copy link

codecov bot commented Oct 17, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.67%. Comparing base (b43a41a) to head (f63243d).
Report is 7 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##               main    #9301   +/-   ##
=========================================
  Coverage     67.67%   67.67%           
  Complexity     1223     1223           
=========================================
  Files           244      244           
  Lines          8626     8626           
  Branches        911      911           
=========================================
  Hits           5838     5838           
  Misses         2413     2413           
  Partials        375      375
Flag Coverage Δ
funTest-docker 62.08% <ø> (ø)
funTest-non-docker 33.57% <ø> (ø)
test 37.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

fviernau
fviernau requested changes Oct 17, 2024
View reviewed changes
@sschuberth sschuberth force-pushed the go-with-spdx-licenses branch 4 times, most recently from 6830e6a to 26fa09c Compare October 30, 2024 13:51
@sschuberth sschuberth marked this pull request as ready for review October 30, 2024 14:00
@sschuberth sschuberth requested a review from a team as a code owner October 30, 2024 14:00
@sschuberth sschuberth enabled auto-merge (rebase) October 30, 2024 14:02
@sschuberth sschuberth requested a review from fviernau October 30, 2024 14:03
@sschuberth sschuberth changed the title Report detected root licenses as a fallback in the SPDX licenseDeclared field Also report detected main licenses as part of SPDX's licenseDeclared field Oct 30, 2024
@sschuberth sschuberth force-pushed the go-with-spdx-licenses branch 2 times, most recently from 715e3ee to d333bf6 Compare October 30, 2024 16:06
@sschuberth sschuberth disabled auto-merge October 31, 2024 07:39
fviernau
fviernau requested changes Oct 31, 2024
View reviewed changes
@sschuberth sschuberth force-pushed the go-with-spdx-licenses branch 2 times, most recently from 43a62c1 to dd744ba Compare October 31, 2024 13:09
@sschuberth sschuberth requested a review from fviernau October 31, 2024 13:14
@sschuberth sschuberth force-pushed the go-with-spdx-licenses branch from dd744ba to 65564d2 Compare October 31, 2024 13:38
@sschuberth

This comment was marked as outdated.

Sign in to view
@sschuberth sschuberth requested a review from a team November 1, 2024 09:25
@sschuberth sschuberth force-pushed the go-with-spdx-licenses branch from 65564d2 to 5d60e8e Compare November 1, 2024 09:31
sschuberth
sschuberth commented Nov 5, 2024
View reviewed changes
plugins/reporters/spdx/src/main/kotlin/Extensions.kt Outdated
val patterns = LicenseFilePatterns.getInstance()
val detectedPackageLicenses = resolvedLicenseExpressions.filterTo(mutableSetOf()) { licenseInfo ->
licenseInfo.locations.any {
FileMatcher.match(patterns.allLicenseFilenames, it.location.path, ignoreCase = true)

This comment was marked as resolved.

Sign in to view

@sschuberth
refactor(spdx): Move nullOrBlankToSpdxNoassertionOrNone()
2555450 
Because probably being the most natural string representation for an
`SpdxExpression`, it makes sense to move that function to `spdx-utils`.

Note that in order to continue working for `null`, it needs to stay an
extension function and not just override `toString()` in `SpdxExpression`.

Signed-off-by: Sebastian Schuberth <[email protected]>
@sschuberth
test(spdx-reporter): Add a test for a Go project
a26c167 
Go projects are a bit special in that their dependencies are just links
to Git repositories that have no metadata associated, and thus have no
declared licenses in the ORT sense. Also, ORT and the purl specification
treat Go dependencies differently with respect to whether they have
namespaces, so it is good to have additional test coverage here as the
SPDX document contains external purl references.

Signed-off-by: Sebastian Schuberth <[email protected]>
@sschuberth
refactor(spdx-reporter): Extract a variable for later reuse
8f783a0 
Reduce the diff when introducing an upcoming feature.

Signed-off-by: Sebastian Schuberth <[email protected]>
@sschuberth sschuberth force-pushed the go-with-spdx-licenses branch from 5d60e8e to e644284 Compare November 5, 2024 10:31
@sschuberth
feat(spdx-reporter): Report detected root licenses for packages
e58b4de 
The SPDX `licenseDeclared` field for a package [1] is not a declared
license in the ORT sense (which means that it must originate from package
metadata only), but should list any "licenses that have been declared by
the authors of the package" in any way, including as part of a `LICENSE`
file, which in the ORT sense would be a detected license.

To account for that, also use licenses detected in root license files as
licenses "declared" for the package. This solves the concrete case for Go
packages that so far did not have any `licenseDeclared` set, as they are
just pointers to Git repositories which have no metadata associated.

Note that the overly complex SPDX expressions will get simplified in a
later PR.

[1]: https://spdx.github.io/spdx-spec/v2.2.2/package-information/#715-declared-license-field

Signed-off-by: Sebastian Schuberth <[email protected]>
@sschuberth
fix(spdx-report): Apply license choices
f63243d 
Signed-off-by: Sebastian Schuberth <[email protected]>
@sschuberth sschuberth force-pushed the go-with-spdx-licenses branch from e644284 to f63243d Compare November 5, 2024 11:13
@sschuberth sschuberth enabled auto-merge (rebase) November 5, 2024 11:57
fviernau
fviernau reviewed Nov 5, 2024
View reviewed changes
@sschuberth sschuberth requested review from fviernau and a team November 5, 2024 15:00
@sschuberth sschuberth merged commit bfcfe62 into main Nov 5, 2024
23 checks passed
@sschuberth sschuberth deleted the go-with-spdx-licenses branch November 5, 2024 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fviernau fviernau fviernau approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sschuberth @fviernau