feat(API): Extend ort run package API with curation info

This commit extends packages list for ORT Run API endpoint
with information on curations applied.

resolves #2324

Signed-off-by: Kamil Bielecki <[email protected]>

Author: Kamil Bielecki

api/v1/mapping/src/commonMain/kotlin/Mappings.kt

@@ -27,6 +27,7 @@ import org.eclipse.apoapsis.ortserver.api.v1.model.AnalyzerJob as ApiAnalyzerJob
 import org.eclipse.apoapsis.ortserver.api.v1.model.AnalyzerJobConfiguration as ApiAnalyzerJobConfiguration
 import org.eclipse.apoapsis.ortserver.api.v1.model.ComparisonOperator as ApiComparisonOperator
 import org.eclipse.apoapsis.ortserver.api.v1.model.CredentialsType as ApiCredentialsType
+import org.eclipse.apoapsis.ortserver.api.v1.model.Curation as ApiCuration
 import org.eclipse.apoapsis.ortserver.api.v1.model.EcosystemStats as ApiEcosystemStats
 import org.eclipse.apoapsis.ortserver.api.v1.model.EnvironmentConfig as ApiEnvironmentConfig
 import org.eclipse.apoapsis.ortserver.api.v1.model.EnvironmentVariableDeclaration as ApiEnvironmentVariableDeclaration
@@ -145,14 +146,15 @@ import org.eclipse.apoapsis.ortserver.model.runs.Issue
 import org.eclipse.apoapsis.ortserver.model.runs.OrtRuleViolation
 import org.eclipse.apoapsis.ortserver.model.runs.PackageFilters
 import org.eclipse.apoapsis.ortserver.model.runs.PackageManagerConfiguration
-import org.eclipse.apoapsis.ortserver.model.runs.PackageWithShortestDependencyPaths
+import org.eclipse.apoapsis.ortserver.model.runs.PackageWithShortestDependencyPathsAndCurations
 import org.eclipse.apoapsis.ortserver.model.runs.ProcessedDeclaredLicense
 import org.eclipse.apoapsis.ortserver.model.runs.Project
 import org.eclipse.apoapsis.ortserver.model.runs.RemoteArtifact
 import org.eclipse.apoapsis.ortserver.model.runs.ShortestDependencyPath
 import org.eclipse.apoapsis.ortserver.model.runs.VcsInfo
 import org.eclipse.apoapsis.ortserver.model.runs.advisor.Vulnerability
 import org.eclipse.apoapsis.ortserver.model.runs.advisor.VulnerabilityReference
+import org.eclipse.apoapsis.ortserver.model.runs.repository.PackageCurationData
 import org.eclipse.apoapsis.ortserver.model.util.ComparisonOperator
 import org.eclipse.apoapsis.ortserver.model.util.FilterOperatorAndValue
 import org.eclipse.apoapsis.ortserver.model.util.ListQueryParameters
@@ -857,7 +859,7 @@ fun ShortestDependencyPath.mapToApi() = ApiShortestDependencyPath(
     path = path.map { it.mapToApi() }
 )
 
-fun PackageWithShortestDependencyPaths.mapToApi() = ApiPackage(
+fun PackageWithShortestDependencyPathsAndCurations.mapToApi() = ApiPackage(
     pkg.identifier.mapToApi(),
     pkg.purl,
     pkg.cpe,
@@ -872,7 +874,17 @@ fun PackageWithShortestDependencyPaths.mapToApi() = ApiPackage(
     pkg.vcsProcessed.mapToApi(),
     pkg.isMetadataOnly,
     pkg.isModified,
-    shortestDependencyPaths.map { it.mapToApi() }
+    shortestDependencyPaths.map { it.mapToApi() },
+    curations.map { it.mapToApi() }.toSet()
+)
+
+fun PackageCurationData.mapToApi(): ApiCuration = ApiCuration(
+    concludedLicense ?: "",
+    comment ?: "",
+    description ?: "",
+    homepageUrl ?: "",
+    authors ?: emptySet(),
+    declaredLicenseMapping
 )
 
 fun ApiPackageFilters.mapToModel(): PackageFilters =

api/v1/model/src/commonMain/kotlin/Curation.kt

@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.api.v1.model
+
+import kotlinx.serialization.Serializable
+
+@Serializable
+data class Curation(
+    val concludedLicense: String,
+    val comment: String,
+    val description: String,
+    val homepageUrl: String,
+    val authors: Set<String>,
+    val declaredLicenseMapping: Map<String, String>
+)

api/v1/model/src/commonMain/kotlin/Package.kt

@@ -37,7 +37,8 @@ data class Package(
     val vcsProcessed: VcsInfo,
     val isMetadataOnly: Boolean = false,
     val isModified: Boolean = false,
-    val shortestDependencyPaths: List<ShortestDependencyPath>
+    val shortestDependencyPaths: List<ShortestDependencyPath>,
+    val curations: Set<Curation>
 )
 
 /**

core/src/main/kotlin/api/RunsRoute.kt

@@ -76,7 +76,7 @@ import org.eclipse.apoapsis.ortserver.model.authorization.RepositoryPermission
 import org.eclipse.apoapsis.ortserver.model.repositories.OrtRunRepository
 import org.eclipse.apoapsis.ortserver.model.runs.Issue
 import org.eclipse.apoapsis.ortserver.model.runs.OrtRuleViolation
-import org.eclipse.apoapsis.ortserver.model.runs.PackageWithShortestDependencyPaths
+import org.eclipse.apoapsis.ortserver.model.runs.PackageWithShortestDependencyPathsAndCurations
 import org.eclipse.apoapsis.ortserver.model.runs.Project
 import org.eclipse.apoapsis.ortserver.services.IssueService
 import org.eclipse.apoapsis.ortserver.services.OrtRunService
@@ -245,7 +245,7 @@ fun Route.runs() = route("runs") {
                         .listForOrtRunId(ortRun.id, pagingOptions.mapToModel(), filters.mapToModel())
 
                     val pagedResponse = packagesForOrtRun
-                        .mapToApi(PackageWithShortestDependencyPaths::mapToApi)
+                        .mapToApi(PackageWithShortestDependencyPathsAndCurations::mapToApi)
                         .toSearchResponse(filters)
 
                     call.respond(HttpStatusCode.OK, pagedResponse)

core/src/main/kotlin/apiDocs/RunsDocs.kt

@@ -28,6 +28,7 @@ import kotlin.time.Duration.Companion.minutes
 import kotlinx.datetime.Clock
 
 import org.eclipse.apoapsis.ortserver.api.v1.model.ComparisonOperator
+import org.eclipse.apoapsis.ortserver.api.v1.model.Curation
 import org.eclipse.apoapsis.ortserver.api.v1.model.EcosystemStats
 import org.eclipse.apoapsis.ortserver.api.v1.model.FilterOperatorAndValue
 import org.eclipse.apoapsis.ortserver.api.v1.model.Identifier
@@ -428,6 +429,16 @@ val getPackagesByRunId: RouteConfig.() -> Unit = {
                                             Identifier("Maven", "org.example", "other", "1.0")
                                         )
                                     )
+                                ),
+                                curations = setOf(
+                                    Curation(
+                                        concludedLicense = "MIT",
+                                        comment = "A comment",
+                                        description = "",
+                                        homepageUrl = "https://example.com/namespace/name",
+                                        authors = setOf("John Doe <[email protected]>"),
+                                        declaredLicenseMapping = emptyMap()
+                                    )
                                 )
                             )
                         ),

core/src/test/kotlin/api/RunsRouteIntegrationTest.kt

@@ -91,6 +91,7 @@ import org.eclipse.apoapsis.ortserver.api.v1.model.VulnerabilityRating
 import org.eclipse.apoapsis.ortserver.api.v1.model.VulnerabilityWithIdentifier
 import org.eclipse.apoapsis.ortserver.config.ConfigManager
 import org.eclipse.apoapsis.ortserver.core.shouldHaveBody
+import org.eclipse.apoapsis.ortserver.dao.repositories.repositoryconfiguration.RepositoryConfigurationsPackageCurationsTable
 import org.eclipse.apoapsis.ortserver.dao.utils.toDatabasePrecision
 import org.eclipse.apoapsis.ortserver.logaccess.LogFileCriteria
 import org.eclipse.apoapsis.ortserver.logaccess.LogFileProviderFactoryForTesting
@@ -126,6 +127,13 @@ import org.eclipse.apoapsis.ortserver.model.runs.advisor.AdvisorResult
 import org.eclipse.apoapsis.ortserver.model.runs.advisor.Vulnerability
 import org.eclipse.apoapsis.ortserver.model.runs.advisor.VulnerabilityReference
 import org.eclipse.apoapsis.ortserver.model.runs.reporter.Report
+import org.eclipse.apoapsis.ortserver.model.runs.repository.Curations
+import org.eclipse.apoapsis.ortserver.model.runs.repository.Excludes
+import org.eclipse.apoapsis.ortserver.model.runs.repository.LicenseChoices
+import org.eclipse.apoapsis.ortserver.model.runs.repository.PackageCuration
+import org.eclipse.apoapsis.ortserver.model.runs.repository.PackageCurationData
+import org.eclipse.apoapsis.ortserver.model.runs.repository.RepositoryAnalyzerConfiguration
+import org.eclipse.apoapsis.ortserver.model.runs.repository.Resolutions
 import org.eclipse.apoapsis.ortserver.model.util.asPresent
 import org.eclipse.apoapsis.ortserver.services.DefaultAuthorizationService
 import org.eclipse.apoapsis.ortserver.services.OrganizationService
@@ -993,6 +1001,115 @@ class RunsRouteIntegrationTest : AbstractIntegrationTest({
                 val identifier1 = Identifier("Maven", "com.example", "example", "1.0")
                 val identifier2 = Identifier("Maven", "com.example", "example2", "1.0")
 
+                dbExtension.fixtures.repositoryConfigurationRepository.create(
+                    ortRunId = ortRun.id,
+                    curations = Curations(
+                        packages = listOf(
+                            PackageCuration(
+                                id = identifier1,
+                                data = PackageCurationData(
+                                    comment = "comment",
+                                    description = "description",
+                                    concludedLicense = "license"
+                                )
+                            )
+                        )
+                    ),
+                    analyzerConfig = RepositoryAnalyzerConfiguration(),
+                    excludes = Excludes(),
+                    resolutions = Resolutions(),
+                    packageConfigurations = listOf(),
+                    licenseChoices = LicenseChoices(),
+                    provenanceSnippetChoices = listOf()
+                )
+
+                val package1 = Package(
+                    identifier1,
+                    purl = "pkg:maven/com.example/[email protected]",
+                    cpe = null,
+                    authors = setOf("Author One", "Author Two"),
+                    declaredLicenses = setOf("License1", "License2", "License3"),
+                    ProcessedDeclaredLicense(
+                        spdxExpression = "Expression",
+                        mappedLicenses = mapOf(
+                            "License 1" to "Mapped License 1",
+                            "License 2" to "Mapped License 2",
+                        ),
+                        unmappedLicenses = setOf("License 1", "License 2", "License 3", "License 4")
+                    ),
+                    description = "An example package",
+                    homepageUrl = "https://example.com",
+                    binaryArtifact = RemoteArtifact(
+                        "https://example.com/example-1.0.jar",
+                        "sha1:value",
+                        "SHA-1"
+                    ),
+                    sourceArtifact = RemoteArtifact(
+                        "https://example.com/example-1.0-sources.jar",
+                        "sha1:value",
+                        "SHA-1"
+                    ),
+                    vcs = VcsInfo(
+                        RepositoryType("GIT"),
+                        "https://example.com/git",
+                        "revision",
+                        "path"
+                    ),
+                    vcsProcessed = VcsInfo(
+                        RepositoryType("GIT"),
+                        "https://example.com/git",
+                        "revision",
+                        "path"
+                    ),
+                    isMetadataOnly = false,
+                    isModified = false
+                )
+
+                val package2 = Package(
+                    identifier2,
+                    purl = "pkg:maven/com.example/[email protected]",
+                    cpe = null,
+                    authors = emptySet(),
+                    declaredLicenses = emptySet(),
+                    ProcessedDeclaredLicense(
+                        spdxExpression = "Expression",
+                        mappedLicenses = emptyMap(),
+                        unmappedLicenses = emptySet()
+                    ),
+                    description = "Another example package",
+                    homepageUrl = "https://example.com",
+                    binaryArtifact = RemoteArtifact(
+                        "https://example.com/example2-1.0.jar",
+                        "sha1:value",
+                        "SHA-1"
+                    ),
+                    sourceArtifact = RemoteArtifact(
+                        "https://example.com/example2-1.0-sources.jar",
+                        "sha1:value",
+                        "SHA-1"
+                    ),
+                    vcs = VcsInfo(
+                        RepositoryType("GIT"),
+                        "https://example.com/git",
+                        "revision",
+                        "path"
+                    ),
+                    vcsProcessed = VcsInfo(
+                        RepositoryType("GIT"),
+                        "https://example.com/git",
+                        "revision",
+                        "path"
+                    ),
+                    isMetadataOnly = false,
+                    isModified = false
+                )
+
+                dbExtension.fixtures.createPackageCurationData(
+                    dbExtension.fixtures.getPackageCurationData(package1, "cmt1", "dsc1", "lic1")
+                )
+
+                RepositoryConfigurationsPackageCurationsTable
+
                 dbExtension.fixtures.analyzerRunRepository.create(
                     analyzerJobId = analyzerJob.id,
                     startTime = Clock.System.now().toDatabasePrecision(),
@@ -1014,87 +1131,7 @@ class RunsRouteIntegrationTest : AbstractIntegrationTest({
                         skipExcluded = true
                     ),
                     projects = setOf(project),
-                    packages = setOf(
-                        Package(
-                            identifier1,
-                            purl = "pkg:maven/com.example/[email protected]",
-                            cpe = null,
-                            authors = setOf("Author One", "Author Two"),
-                            declaredLicenses = setOf("License1", "License2", "License3"),
-                            ProcessedDeclaredLicense(
-                                spdxExpression = "Expression",
-                                mappedLicenses = mapOf(
-                                    "License 1" to "Mapped License 1",
-                                    "License 2" to "Mapped License 2",
-                                ),
-                                unmappedLicenses = setOf("License 1", "License 2", "License 3", "License 4")
-                            ),
-                            description = "An example package",
-                            homepageUrl = "https://example.com",
-                            binaryArtifact = RemoteArtifact(
-                                "https://example.com/example-1.0.jar",
-                                "sha1:value",
-                                "SHA-1"
-                            ),
-                            sourceArtifact = RemoteArtifact(
-                                "https://example.com/example-1.0-sources.jar",
-                                "sha1:value",
-                                "SHA-1"
-                            ),
-                            vcs = VcsInfo(
-                                RepositoryType("GIT"),
-                                "https://example.com/git",
-                                "revision",
-                                "path"
-                            ),
-                            vcsProcessed = VcsInfo(
-                                RepositoryType("GIT"),
-                                "https://example.com/git",
-                                "revision",
-                                "path"
-                            ),
-                            isMetadataOnly = false,
-                            isModified = false
-                        ),
-                        Package(
-                            identifier2,
-                            purl = "pkg:maven/com.example/[email protected]",
-                            cpe = null,
-                            authors = emptySet(),
-                            declaredLicenses = emptySet(),
-                            ProcessedDeclaredLicense(
-                                spdxExpression = "Expression",
-                                mappedLicenses = emptyMap(),
-                                unmappedLicenses = emptySet()
-                            ),
-                            description = "Another example package",
-                            homepageUrl = "https://example.com",
-                            binaryArtifact = RemoteArtifact(
-                                "https://example.com/example2-1.0.jar",
-                                "sha1:value",
-                                "SHA-1"
-                            ),
-                            sourceArtifact = RemoteArtifact(
-                                "https://example.com/example2-1.0-sources.jar",
-                                "sha1:value",
-                                "SHA-1"
-                            ),
-                            vcs = VcsInfo(
-                                RepositoryType("GIT"),
-                                "https://example.com/git",
-                                "revision",
-                                "path"
-                            ),
-                            vcsProcessed = VcsInfo(
-                                RepositoryType("GIT"),
-                                "https://example.com/git",
-                                "revision",
-                                "path"
-                            ),
-                            isMetadataOnly = false,
-                            isModified = false
-                        )
-                    ),
+                    packages = setOf(package1, package2),
                     issues = emptyList(),
                     dependencyGraphs = emptyMap(),
                     shortestDependencyPaths = mapOf(
@@ -1135,14 +1172,21 @@ class RunsRouteIntegrationTest : AbstractIntegrationTest({
                             it.scope shouldBe "compileClassPath"
                             it.path shouldBe emptyList()
                         }
+
+                        curations shouldHaveSize(1)
                     }
 
-                    last().shortestDependencyPaths.shouldBeSingleton {
-                        it.projectIdentifier shouldBe project.identifier.mapToApi()
-                        it.scope shouldBe "compileClassPath"
-                        it.path shouldBe listOf(identifier1.mapToApi())
+                    with(last()) {
+                        identifier.name shouldBe "example2"
+
+                        shortestDependencyPaths.shouldBeSingleton {
+                            it.projectIdentifier shouldBe project.identifier.mapToApi()
+                            it.scope shouldBe "compileClassPath"
+                            it.path shouldBe listOf(identifier1.mapToApi())
+                        }
+
+                        curations shouldHaveSize(0)
                     }
-                    last().identifier.name shouldBe "example2"
                 }
             }
         }