feat(spdx): Report detected root licenses as a fallback

The SPDX `licenseDeclared` field [1] is not a declared license in the ORT sense, meaning that it must originate from package metadata only, but lists any "licenses that have been declared by the authors of the package" in any way, including as part of a `LICENSE` file, which in the ORT sense would be a detected license. To account for that, fall back to using the detected licenses of root license files as the package license if no license from metadata is available. This solves the case for Go packages so far not having any `licenseDeclared` set, as they are just pointers to Git repositories which have to metadata associated. [1]: https://spdx.github.io/spdx-spec/v2.2.2/package-information/#715-declared-license-field Signed-off-by: Sebastian Schuberth <[email protected]>
oss-review-toolkit · Oct 25, 2024 · b338a84 · b338a84
1 parent 357dfcd
commit b338a84
Showing 1 changed file with 25 additions and 1 deletion.
diff --git a/plugins/reporters/spdx/src/main/kotlin/Extensions.kt b/plugins/reporters/spdx/src/main/kotlin/Extensions.kt
@@ -35,13 +35,15 @@ import org.ossreviewtoolkit.model.ScanResult
 import org.ossreviewtoolkit.model.SourceCodeOrigin
 import org.ossreviewtoolkit.model.VcsInfo
 import org.ossreviewtoolkit.model.VcsType
+import org.ossreviewtoolkit.model.config.LicenseFilePatterns
 import org.ossreviewtoolkit.model.licenses.Findings
 import org.ossreviewtoolkit.model.licenses.LicenseInfoResolver
 import org.ossreviewtoolkit.model.licenses.LicenseView
 import org.ossreviewtoolkit.model.licenses.ResolvedLicenseInfo
 import org.ossreviewtoolkit.model.utils.FindingCurationMatcher
 import org.ossreviewtoolkit.model.utils.prependedPath
 import org.ossreviewtoolkit.reporter.LicenseTextProvider
+import org.ossreviewtoolkit.utils.common.FileMatcher
 import org.ossreviewtoolkit.utils.common.replaceCredentialsInUri
 import org.ossreviewtoolkit.utils.ort.ProcessedDeclaredLicense
 import org.ossreviewtoolkit.utils.spdx.SpdxConstants
@@ -154,6 +156,28 @@ internal fun Package.toSpdxPackage(
         .filterExcluded()
         .filter(LicenseView.ONLY_DETECTED)
 
+    val declaredPackageLicenses = declaredLicensesProcessed.toSpdxDeclaredLicense()
+    val foundPackageLicenses = declaredPackageLicenses.takeUnless {
+        it == SpdxConstants.NOASSERTION && type == SpdxPackageType.VCS_PACKAGE
+    } ?: run {
+        // If there are of declared licenses and the package type is a VCS, which never have metadata, fall back to
+        // determine the package's license from what is detected in root license files.
+        val patterns = LicenseFilePatterns.getInstance()
+
+        val detectedPackageLicenses = detectedLicenses.filter { licenseInfo ->
+            licenseInfo.locations.any {
+                FileMatcher.match(patterns.allLicenseFilenames, it.location.path, ignoreCase = true)
+            }
+        }
+
+        detectedPackageLicenses
+            .mapNotNull { resolvedLicense ->
+                resolvedLicense.license.takeIf { it.isValid(SpdxExpression.Strictness.ALLOW_DEPRECATED) }
+            }
+            .reduceOrNull(SpdxExpression::and)
+            .nullOrBlankToSpdxNoassertionOrNone()
+    }
+
     return SpdxPackage(
         spdxId = id.toSpdxId(type),
         checksums = when (type) {
@@ -178,7 +202,7 @@ internal fun Package.toSpdxPackage(
             SpdxPackageType.VCS_PACKAGE -> SpdxConstants.NOASSERTION
             else -> concludedLicense.nullOrBlankToSpdxNoassertionOrNone()
         },
-        licenseDeclared = declaredLicensesProcessed.toSpdxDeclaredLicense(),
+        licenseDeclared = foundPackageLicenses,
         licenseInfoFromFiles = if (packageVerificationCode == null) {
             emptyList()
         } else {