openSUSE
diff --git a/‎lib/Cavil/Model/Reports.pm‎
Lines changed: 6 additions & 1 deletion b/‎lib/Cavil/Model/Reports.pm‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎lib/Cavil/ReportUtil.pm‎
Lines changed: 68 additions & 2 deletions b/‎lib/Cavil/ReportUtil.pm‎
Lines changed: 68 additions & 2 deletions
diff --git a/‎t/incompatible_licenses.t‎
Lines changed: 102 additions & 0 deletions b/‎t/incompatible_licenses.t‎
Lines changed: 102 additions & 0 deletions
@@ -22,7 +22,7 @@ use Mojo::JSON qw(from_json to_json);
 use Spooky::Patterns::XS;
 use Cavil::Checkout;
 use Cavil::Licenses   qw(lic);
-use Cavil::ReportUtil qw(estimated_risk);
+use Cavil::ReportUtil qw(estimated_risk incompatible_licenses);
 
 has [qw(acceptable_packages acceptable_risk checkout_dir max_expanded_files pg)];
 
@@ -45,6 +45,9 @@ sub dig_report {
 
   my $report = $self->_dig_report($db, {}, $pkg, \%ignored_lines, $limit_to_file);
 
+  # Incompatible licenses
+  $report->{incompatible_licenses} = incompatible_licenses($report);
+
   # prune match caches
   delete $report->{matches};
   return $report;
@@ -171,6 +174,8 @@ sub summary ($self, $id) {
   }
   $summary{missed_snippets} = $files;
 
+  $summary{incompatible_licenses} = $report->{incompatible_licenses};
+
   return \%summary;
 }
 
 
@@ -18,17 +18,53 @@ package Cavil::ReportUtil;
 use Mojo::Base -strict, -signatures;
 
 use Exporter 'import';
-use List::Util 'uniq';
+use List::Util qw(uniq);
 use Mojo::Util;
 use Cavil::Licenses 'lic';
 
-our @EXPORT_OK = (qw(estimated_risk report_checksum report_shortname summary_delta summary_delta_score));
+our @EXPORT_OK
+  = (qw(estimated_risk incompatible_licenses report_checksum report_shortname summary_delta summary_delta_score));
+
+# For now we only watch out for GPL-2.0-only and Apache-2.0
+my $INCOMPATIBLE_LICENSE_RULES = [{licenses => ['GPL-2.0-only', 'Apache-2.0']}];
 
 sub estimated_risk ($risk, $match) {
   my $estimated = int(($risk * $match + 9 * (1 - $match)) + 0.5);
   return $match < 0.9 && $estimated <= 3 ? 4 : $estimated;
 }
 
+sub incompatible_licenses ($dig_report, $rules = $INCOMPATIBLE_LICENSE_RULES) {
+  return [] unless @$rules && (my $licenses = $dig_report->{licenses});
+
+  my @spdx = map { $_->{spdx} } grep { $_->{spdx} } values %$licenses;
+
+  my @regexes;
+  for my $rule (@$rules) {
+    push @regexes, [qr/\Q$_\E/i, $_] for @{$rule->{licenses}};
+  }
+
+  my %matches;
+  for my $spdx (@spdx) {
+    for my $pair (@regexes) {
+      next unless $spdx =~ $pair->[0];
+      $matches{$pair->[1]}++;
+    }
+  }
+
+  my @results;
+  for my $rule (@$rules) {
+    my $licenses = $rule->{licenses};
+    my $found    = 0;
+    for my $license (@$licenses) {
+      last unless $matches{$license};
+      $found++;
+    }
+    push @results, {licenses => [@$licenses]} if $found == @$licenses;
+  }
+
+  return \@results;
+}
+
 sub report_checksum ($specfile_report, $dig_report) {
 
   # Specfile license
@@ -56,6 +92,13 @@ sub report_checksum ($specfile_report, $dig_report) {
     $text .= "SNIPPET:$_\n" for uniq @all;
   }
 
+  # License incompatibilities
+  if (my $incompat = $dig_report->{incompatible_licenses}) {
+    for my $rule (@$incompat) {
+      $text .= "INCOMPAT:" . join(':', sort @{$rule->{licenses}}) . "\n";
+    }
+  }
+
   return Mojo::Util::md5_sum $text;
 }
 
@@ -68,6 +111,7 @@ sub report_shortname ($chksum, $specfile_report, $dig_report) {
     my $risk = $dig_report->{missed_files}{$file}[0];
     $max_risk = $risk if $risk > $max_risk;
   }
+  $max_risk = 9 if $dig_report->{incompatible_licenses} && @{$dig_report->{incompatible_licenses}};
 
   my $l = lic($specfile_report->{main}{license})->example;
   $l ||= 'Unknown';
@@ -114,6 +158,12 @@ sub summary_delta ($old, $new) {
     $text .= join("\n", @lines) . "\n\n";
   }
 
+  # License incompatibilities
+  if (my @licenses = _new_incompatibilities($old, $new)) {
+    my $licenses = join(', ', @licenses);
+    $text .= "  Found new possible license incompatibility involving: $licenses\n\n";
+  }
+
   return length $text ? "Diff to closest match $old->{id}:\n\n$text" : '';
 }
 
@@ -126,6 +176,9 @@ sub summary_delta_score ($old, $new) {
 
   my $score = 0;
 
+  # License incompatibilities
+  $score += 500 for _new_incompatibilities($old, $new);
+
   # New files with missed snippets (count)
   if (keys %{$new->{missed_snippets}} > keys %{$old->{missed_snippets}}) {
     $score += 250;
@@ -159,4 +212,17 @@ sub summary_delta_score ($old, $new) {
   return $score;
 }
 
+sub _new_incompatibilities ($old, $new) {
+  my @old_incompat = map { @{$_->{licenses}} } @{$old->{incompatible_licenses} || []};
+  my @new_incompat = uniq(map { @{$_->{licenses}} } @{$new->{incompatible_licenses} || []});
+  my %old          = map { $_ => 1 } @old_incompat;
+
+  my @new;
+  for my $lic (@new_incompat) {
+    push @new, $lic unless $old{$lic};
+  }
+
+  return @new;
+}
+
 1;
@@ -0,0 +1,102 @@
+# Copyright (C) 2025 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, see <http://www.gnu.org/licenses/>.
+
+use Mojo::Base -strict;
+
+use FindBin;
+use lib "$FindBin::Bin/lib";
+
+use Test::More;
+use Test::Mojo;
+use Cavil::Test;
+use Mojo::File qw(path);
+
+plan skip_all => 'set TEST_ONLINE to enable this test' unless $ENV{TEST_ONLINE};
+
+my $cavil_test = Cavil::Test->new(online => $ENV{TEST_ONLINE}, schema => 'incompatible_licenses_test');
+my $t          = Test::Mojo->new(Cavil => $cavil_test->default_config);
+$cavil_test->mojo_fixtures($t->app);
+
+# Add patterns for known incompatible licenses
+$t->app->pg->db->query('DELETE FROM license_patterns');
+$t->app->patterns->create(pattern => 'SPDX-License-Identifier: Apache-2.0',   license => 'Apache-2.0');
+$t->app->patterns->create(pattern => 'SPDX-License-Identifier: GPL-2.0-only', license => 'GPL-2.0-only');
+$t->app->pg->db->query('UPDATE license_patterns SET spdx = $1 WHERE license = $1', $_) for qw(Apache-2.0 GPL-2.0-only);
+
+# Add files with incompatible licenses
+my $pkg = $t->app->packages->find(1);
+my $dir = path($cavil_test->checkout_dir, $pkg->{name}, $pkg->{checkout_dir});
+$dir->child('apache_file.txt')->spurt("# SPDX-License-Identifier: Apache-2.0\n\nThis is a test file.\n");
+$dir->child('gpl2_file.txt')->spurt("# SPDX-License-Identifier: GPL-2.0-only\n\nThis is another test file.\n");
+
+# Unpack and index
+$t->app->minion->enqueue(unpack => [1]);
+$t->app->minion->perform_jobs;
+
+subtest 'GPL-2.0-only and Apache-2.0 detected as incompatible' => sub {
+  $t->get_ok('/login')->status_is(302)->header_is(Location => '/');
+
+  subtest 'Details after indexing' => sub {
+    $t->get_ok('/reviews/meta/1')
+      ->status_is(200)
+      ->json_like('/package_license/name', qr!Artistic-2.0!)
+      ->json_is('/package_license/spdx', 1)
+      ->json_like('/package_version', qr!7\.25!)
+      ->json_like('/package_summary', qr!Real-time web framework!)
+      ->json_like('/package_group',   qr!Development/Libraries/Perl!)
+      ->json_like('/package_url',     qr!http://search\.cpan\.org/dist/Mojolicious/!)
+      ->json_like('/state',           qr!new!)
+      ->json_is('/unpacked_files', 341)
+      ->json_is('/unpacked_size',  '2.5MiB');
+
+    $t->json_like('/package_files/0/file',       qr/perl-Mojolicious\.spec/)
+      ->json_like('/package_files/0/licenses/0', qr/Artistic-2.0/)
+      ->json_like('/package_files/0/version',    qr/7\.25/)
+      ->json_like('/package_files/0/sources/0',  qr/http:\/\/www\.cpan\.org/)
+      ->json_like('/package_files/0/summary',    qr/Real-time web framework/)
+      ->json_like('/package_files/0/url',        qr/http:\/\//)
+      ->json_like('/package_files/0/group',      qr/Development\/Libraries\/Perl/);
+
+    $t->json_is('/errors', [])->json_is('/warnings', []);
+  };
+
+  subtest 'JSON report' => sub {
+    $t->get_ok('/reviews/report/1.json')->status_is(200);
+    ok my $json = $t->tx->res->json, 'JSON response';
+
+    ok my $pkg = $json->{package}, 'package';
+    is $pkg->{id},   1,                  'id';
+    is $pkg->{name}, 'perl-Mojolicious', 'name';
+    like $pkg->{checksum}, qr!Artistic-2.0-9!, 'checksum with elevated risk because of incompatible licenses';
+    is $pkg->{state},  'new',                                                                 'state';
+    is $pkg->{notice}, 'Manual review is required because no previous reports are available', 'requires manual review';
+
+    ok my $report = $json->{report}, 'report';
+    is_deeply $report->{incompatible_licenses}, [{licenses => ['GPL-2.0-only', 'Apache-2.0']}], 'incompatible licenses';
+
+  };
+
+  subtest 'Text report' => sub {
+    $t->get_ok('/reviews/report/1.txt')->status_is(200);
+    ok my $text = $t->tx->res->text, 'text response';
+    like $text, qr/Elevated risk, package might contain incompatible licenses:/,
+      'text report contains warning about incompatible licenses';
+    like $text, qr/GPL-2.0-only, Apache-2.0/, 'text report lists incompatible licenses';
+  };
+
+  $t->get_ok('/logout')->status_is(302)->header_is(Location => '/');
+};
+
+done_testing;