fix: address code review findings

go-redrock-nicolas · go-redrock-nicolas · commit 992de5d1c98d · 2026-03-07T22:46:45.000-07:00
- Remove dead TYPE_CHECKING import in resolver.py
- Make async license resolution concurrent (asyncio.gather)
- Remove bogus hardcoded SPDX PackageVerificationCode
- Fix duplicate comment in CLI scan command
- Handle table format + output file in scan command
- Simplify _matches_any to use any() (ruff SIM110)
- Use re.DOTALL for .csproj regex to handle multiline attrs
- Clarify evaluate_policy mutates in-place
diff --git a/src/license_patrol/cli.py b/src/license_patrol/cli.py
@@ -91,10 +91,13 @@ def scan_cmd(
         console.print("[yellow]No dependencies found.[/yellow]")
         raise typer.Exit(0)
 
-    # Render output
     # Render output
     project_name = Path(project_dir).name
     if format == "table":
+        if output:
+            rendered = render_json(result)
+            Path(output).write_text(rendered, encoding="utf-8")
+            console.print(f"[green]Report written to {output} (as JSON)[/green]")
         render_table(result, console)
     elif format in ("json", "csv", "spdx", "cyclonedx"):
         rendered = _render_format(result, format, project_name)
diff --git a/src/license_patrol/ecosystems/nuget.py b/src/license_patrol/ecosystems/nuget.py
@@ -60,9 +60,9 @@ def _parse_csproj(self, path: Path) -> list[Dependency]:
         """Parse a .csproj file for PackageReference elements."""
         deps = []
         content = path.read_text(encoding="utf-8")
-        # Simple regex parse — avoid heavy XML deps
+        # Simple regex parse — handles multiline attributes
         pattern = r'<PackageReference\s+Include="([^"]+)"\s+Version="([^"]+)"'
-        for match in re.finditer(pattern, content):
+        for match in re.finditer(pattern, content, re.DOTALL):
             name = match.group(1)
             version = match.group(2)
             deps.append(
diff --git a/src/license_patrol/policy.py b/src/license_patrol/policy.py
@@ -8,7 +8,7 @@
 
 
 def evaluate_policy(dependencies: list[Dependency], policy: Policy) -> list[Dependency]:
-    """Evaluate each dependency against the policy and set its verdict."""
+    """Evaluate each dependency against the policy and set its verdict (mutates in-place)."""
     for dep in dependencies:
         # Check overrides first
         if dep.name in policy.overrides:
@@ -46,11 +46,6 @@ def _match_license(license_id: str, policy: Policy) -> PolicyVerdict:
 
 
 def _matches_any(license_id: str, patterns: list[str]) -> bool:
-    """Check if a license identifier matches any of the given patterns."""
-    for pattern in patterns:
-        if fnmatch.fnmatch(license_id, pattern):
-            return True
-        # Also check case-insensitively
-        if fnmatch.fnmatch(license_id.lower(), pattern.lower()):
-            return True
-    return False
+    """Check if a license identifier matches any of the given patterns (case-insensitive)."""
+    lower_id = license_id.lower()
+    return any(fnmatch.fnmatch(lower_id, p.lower()) for p in patterns)
diff --git a/src/license_patrol/report.py b/src/license_patrol/report.py
@@ -126,8 +126,6 @@ def render_spdx(result: ScanResult, project_name: str = "project") -> str:
             f"SPDXID: SPDXRef-Package-{project_name}",
             "PackageDownloadLocation: NOASSERTION",
             "FilesAnalyzed: false",
-            "PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758"
-            " (excludes: ./exclude.awk)",
             "",
         ]
     )
diff --git a/src/license_patrol/resolver.py b/src/license_patrol/resolver.py
@@ -3,15 +3,11 @@
 from __future__ import annotations
 
 import logging
-from typing import TYPE_CHECKING
 
 import httpx
 
 from license_patrol.models import Dependency, Ecosystem
 
-if TYPE_CHECKING:
-    pass
-
 logger = logging.getLogger(__name__)
 
 # Well-known license mappings for common non-SPDX identifiers
@@ -194,14 +190,19 @@ async def resolve_nuget_license(dep: Dependency, client: httpx.AsyncClient) -> N
 
 async def resolve_licenses(dependencies: list[Dependency]) -> list[Dependency]:
     """Resolve licenses for all dependencies that don't already have one."""
+    import asyncio
+
     to_resolve = [d for d in dependencies if not d.license_id]
     if not to_resolve:
         return dependencies
 
     async with httpx.AsyncClient(timeout=15.0) as client:
+        tasks = []
         for dep in to_resolve:
             resolver = RESOLVERS.get(dep.ecosystem)
             if resolver:
-                await resolver(dep, client)
+                tasks.append(resolver(dep, client))
+        if tasks:
+            await asyncio.gather(*tasks, return_exceptions=True)
 
     return dependencies

Original file line number	Diff line number	Diff line change
`@@ -126,8 +126,6 @@ def render_spdx(result: ScanResult, project_name: str = "project") -> str:`
`126`	`126`	`f"SPDXID: SPDXRef-Package-{project_name}",`
`127`	`127`	`"PackageDownloadLocation: NOASSERTION",`
`128`	`128`	`"FilesAnalyzed: false",`
`129`		`- "PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758"`
`130`		`- " (excludes: ./exclude.awk)",`
`131`	`129`	`"",`
`132`	`130`	`]`
`133`	`131`	`)`