Backport 2287 to release/0.4.z

.gitignore

@@ -9,6 +9,8 @@
 
 *.cdx.json
 *.folded
+*-secret.*
+*.tar
 
 /flame*.svg
 /perf.data*

common/src/db/func.rs

@@ -77,28 +77,12 @@ impl UpdateDeprecatedAdvisory {
     }
 }
 
-/// The function expanding the license replacing all 'LicenseRef-' instances
-/// with the actual license they refer to.
-pub struct ExpandLicenseExpression;
-
-impl Iden for ExpandLicenseExpression {
-    #[allow(clippy::unwrap_used)]
-    fn unquoted(&self, s: &mut dyn Write) {
-        write!(s, "expand_license_expression").unwrap()
-    }
-}
-
-/// The function returns the final license, no matter if it's coming from a CycloneDx of SPDX
-/// license data stored in the DB.
-pub struct CaseLicenseTextSbomId;
-
-impl Iden for CaseLicenseTextSbomId {
-    #[allow(clippy::unwrap_used)]
-    fn unquoted(&self, s: &mut dyn Write) {
-        write!(s, "case_license_text_sbom_id").unwrap()
-    }
-}
-
+// NOTE: This enum is currently unused. The `expand_license_expression_with_mappings`
+// PostgreSQL function is invoked via raw SQL in `populate_expanded_license()` due to
+// its use of complex PostgreSQL features (composite types, array aggregation over
+// `license_mapping`, and complex CTEs). This enum is preserved for potential future
+// refactoring to SeaQuery/SeaORM query builders, though such migration may not be
+// feasible given the function's complexity and the performance benefits of raw SQL.
 #[derive(Iden)]
 pub enum CustomFunc {
     #[iden = "expand_license_expression_with_mappings"]

entity/src/expanded_license.rs

@@ -0,0 +1,24 @@
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, Eq, DeriveEntityModel)]
+#[sea_orm(table_name = "expanded_license")]
+pub struct Model {
+    #[sea_orm(primary_key)]
+    pub id: Uuid,
+    pub expanded_text: String,
+    pub text_hash: String,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(has_many = "super::sbom_license_expanded::Entity")]
+    SbomLicenseExpanded,
+}
+
+impl Related<super::sbom_license_expanded::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::SbomLicenseExpanded.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}

entity/src/lib.rs

@@ -4,6 +4,7 @@ pub mod base_purl;
 pub mod cpe;
 pub mod cvss3;
 pub mod cvss4;
+pub mod expanded_license;
 pub mod importer;
 pub mod importer_report;
 pub mod labels;
@@ -22,6 +23,7 @@ pub mod relationship;
 pub mod sbom;
 pub mod sbom_external_node;
 pub mod sbom_file;
+pub mod sbom_license_expanded;
 pub mod sbom_node;
 pub mod sbom_node_checksum;
 pub mod sbom_package;

entity/src/sbom_license_expanded.rs

@@ -0,0 +1,53 @@
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, Eq, DeriveEntityModel)]
+#[sea_orm(table_name = "sbom_license_expanded")]
+pub struct Model {
+    #[sea_orm(primary_key)]
+    pub sbom_id: Uuid,
+    #[sea_orm(primary_key)]
+    pub license_id: Uuid,
+    pub expanded_license_id: Uuid,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::expanded_license::Entity",
+        from = "Column::ExpandedLicenseId",
+        to = "super::expanded_license::Column::Id"
+    )]
+    ExpandedLicense,
+    #[sea_orm(
+        belongs_to = "super::sbom::Entity",
+        from = "Column::SbomId",
+        to = "super::sbom::Column::SbomId"
+    )]
+    Sbom,
+    #[sea_orm(
+        belongs_to = "super::license::Entity",
+        from = "Column::LicenseId",
+        to = "super::license::Column::Id"
+    )]
+    License,
+}
+
+impl Related<super::expanded_license::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::ExpandedLicense.def()
+    }
+}
+
+impl Related<super::sbom::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Sbom.def()
+    }
+}
+
+impl Related<super::license::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::License.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}

entity/src/sbom_package_license.rs

@@ -27,6 +27,12 @@ pub enum Relation {
     Package,
     #[sea_orm(has_one = "super::license::Entity")]
     License,
+    #[sea_orm(
+        belongs_to = "super::sbom_license_expanded::Entity",
+        from = "(Column::SbomId, Column::LicenseId)",
+        to = "(super::sbom_license_expanded::Column::SbomId, super::sbom_license_expanded::Column::LicenseId)"
+    )]
+    SbomLicenseExpanded,
 }
 
 #[derive(
@@ -67,4 +73,10 @@ impl Related<super::license::Entity> for Entity {
     }
 }
 
+impl Related<super::sbom_license_expanded::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::SbomLicenseExpanded.def()
+    }
+}
+
 impl ActiveModelBehavior for ActiveModel {}

etc/test-data/spdx/license-ref-overlap.json

@@ -0,0 +1,88 @@
+{
+  "spdxVersion": "SPDX-2.2",
+  "dataLicense": "CC0-1.0",
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "license-ref-overlap-test",
+  "documentNamespace": "https://example.org/test/license-ref-overlap",
+  "creationInfo": {
+    "created": "2024-01-01T00:00:00Z",
+    "creators": [
+      "Tool: test"
+    ],
+    "licenseListVersion": "3.19"
+  },
+  "hasExtractedLicensingInfos": [
+    {
+      "licenseId": "LicenseRef-BSD",
+      "extractedText": "BSD License text",
+      "name": "BSD License"
+    },
+    {
+      "licenseId": "LicenseRef-BSD-with-advertising",
+      "extractedText": "BSD with advertising License text",
+      "name": "BSD with advertising License"
+    },
+    {
+      "licenseId": "LicenseRef-GPL",
+      "extractedText": "GPL License text",
+      "name": "GPL License"
+    },
+    {
+      "licenseId": "LicenseRef-GPLv2",
+      "extractedText": "GPLv2 License text",
+      "name": "GPLv2 License"
+    }
+  ],
+  "packages": [
+    {
+      "SPDXID": "SPDXRef-Package-bsd-advertising",
+      "name": "package-bsd-advertising",
+      "versionInfo": "1.0",
+      "downloadLocation": "https://example.org/package-bsd-advertising",
+      "filesAnalyzed": false,
+      "licenseConcluded": "LicenseRef-BSD-with-advertising",
+      "licenseDeclared": "LicenseRef-BSD-with-advertising",
+      "copyrightText": "NOASSERTION",
+      "supplier": "Organization: Test"
+    },
+    {
+      "SPDXID": "SPDXRef-Package-bsd-only",
+      "name": "package-bsd-only",
+      "versionInfo": "1.0",
+      "downloadLocation": "https://example.org/package-bsd-only",
+      "filesAnalyzed": false,
+      "licenseConcluded": "LicenseRef-BSD",
+      "licenseDeclared": "LicenseRef-BSD",
+      "copyrightText": "NOASSERTION",
+      "supplier": "Organization: Test"
+    },
+    {
+      "SPDXID": "SPDXRef-Package-gpl-overlap",
+      "name": "package-gpl-overlap",
+      "versionInfo": "1.0",
+      "downloadLocation": "https://example.org/package-gpl-overlap",
+      "filesAnalyzed": false,
+      "licenseConcluded": "LicenseRef-GPLv2 OR LicenseRef-GPL",
+      "licenseDeclared": "LicenseRef-GPLv2 OR LicenseRef-GPL",
+      "copyrightText": "NOASSERTION",
+      "supplier": "Organization: Test"
+    }
+  ],
+  "relationships": [
+    {
+      "spdxElementId": "SPDXRef-DOCUMENT",
+      "relationshipType": "DESCRIBES",
+      "relatedSpdxElement": "SPDXRef-Package-bsd-advertising"
+    },
+    {
+      "spdxElementId": "SPDXRef-DOCUMENT",
+      "relationshipType": "DESCRIBES",
+      "relatedSpdxElement": "SPDXRef-Package-bsd-only"
+    },
+    {
+      "spdxElementId": "SPDXRef-DOCUMENT",
+      "relationshipType": "DESCRIBES",
+      "relatedSpdxElement": "SPDXRef-Package-gpl-overlap"
+    }
+  ]
+}

migration/src/lib.rs

@@ -33,6 +33,8 @@ mod m0001180_expand_spdx_licenses_with_mappings_function;
 mod m0001190_optimize_product_advisory_query;
 mod m0001200_source_document_fk_indexes;
 mod m0002100_analysis_perf_indexes;
+mod m0002110_license_query_performance;
+mod m0002120_normalize_expanded_license;
 
 pub struct Migrator;
 
@@ -73,6 +75,8 @@ impl MigratorTrait for Migrator {
             Box::new(m0001190_optimize_product_advisory_query::Migration),
             Box::new(m0001200_source_document_fk_indexes::Migration),
             Box::new(m0002100_analysis_perf_indexes::Migration),
+            Box::new(m0002110_license_query_performance::Migration),
+            Box::new(m0002120_normalize_expanded_license::Migration),
         ]
     }
 }