feat(scanoss): Add extra information to snippets

The SCANOSS server provides endpoints to retrieve the related snippets
found, but the API call depends on the file hash which is not currently
provided. Add the file hash, URL, and source hash as `additionalData` to
address that.

Signed-off-by: Helio Chissini de Castro <helio.chissini.de.castro@cariad.technology>

Author: heliocastro

plugins/scanners/scanoss/src/main/kotlin/ScanOssResultParser.kt

@@ -158,11 +158,13 @@ private fun createSnippetFindings(details: ScanFileDetails, localFilePath: Strin
     val vcsInfo = VcsHost.parseUrl(url.takeUnless { it == "none" }.orEmpty())
     val provenance = RepositoryProvenance(vcsInfo, ".")
 
-    // Purls can be empty if only one entry is provided which is used as the primary purl.
-    val additionalData = if (purls.isNotEmpty()) {
-        mapOf("related_purls" to purls.joinToString(",") { it.trim() })
-    } else {
-        emptyMap()
+    val additionalData = buildMap {
+        put("file_hash", details.fileHash)
+        put("file_url", details.fileUrl)
+        put("source_hash", details.sourceHash)
+
+        // Purls can be empty if only one entry is provided which is used as the primary purl.
+        if (purls.isNotEmpty()) put("related_purls", purls.joinToString(",") { it.trim() })
     }
 
     // Convert both local and OSS line ranges to source locations.

plugins/scanners/scanoss/src/test/kotlin/ScanOssResultParserTest.kt

@@ -128,7 +128,12 @@ class ScanOssResultParserTest : WordSpec({
                                 "."
                             ),
                             "pkg:github/vdurmont/semver4j",
-                            SpdxExpression.parse("CC-BY-SA-2.0")
+                            SpdxExpression.parse("CC-BY-SA-2.0"),
+                            mapOf(
+                                "file_hash" to "6ff2427335b985212c9b79dfa795799f",
+                                "file_url" to "https://osskb.org/api/file_contents/6ff2427335b985212c9b79dfa795799f",
+                                "source_hash" to "bd4bff27f540f4f2c9de012acc4b48a3"
+                            )
                         )
                     )
                 )
@@ -157,6 +162,9 @@ class ScanOssResultParserTest : WordSpec({
                 // Verify related PURLs to be stored as additional data.
                 snippets.first().additionalData shouldBe
                     mapOf(
+                        "file_hash" to "581734935cfbe570d280a1265aaa2a6b",
+                        "file_url" to "https://api.scanoss.com/file_contents/581734935cfbe570d280a1265aaa2a6b",
+                        "source_hash" to "45dd1e50621a8a32f88fbe0251a470ab",
                         "related_purls" to "pkg:github/fake/fake_repository"
                     )
 

plugins/scanners/scanoss/src/test/kotlin/ScanOssScannerDirectoryTest.kt

@@ -113,7 +113,12 @@ class ScanOssScannerDirectoryTest : StringSpec({
                                 VcsInfo(VcsType.GIT, "https://github.com/scanoss/ort.git", ""), "."
                             ),
                             "pkg:github/scanoss/ort",
-                            SpdxExpression.parse("Apache-2.0")
+                            SpdxExpression.parse("Apache-2.0"),
+                            mapOf(
+                                "file_hash" to "871fb0c5188c2f620d9b997e225b0095",
+                                "file_url" to "https://osskb.org/api/file_contents/871fb0c5188c2f620d9b997e225b0095",
+                                "source_hash" to "2e91edbe430c4eb195a977d326d6d6c0"
+                            )
                         )
                     )
                 )