chore: add new column concluded license into license export

Author: bxf12315

modules/fundamental/src/license/model/sbom_license.rs

@@ -1,8 +1,10 @@
 use sea_orm::FromQueryResult;
-use trustify_entity::qualified_purl::CanonicalPurl;
+use trustify_entity::{
+    labels::Labels, qualified_purl::CanonicalPurl, sbom_package_license::LicenseCategory,
+};
 use uuid::Uuid;
 
-#[derive(Debug, Clone, Default)]
+#[derive(Debug, Clone, PartialEq, Default)]
 pub struct SbomPackageLicense {
     pub name: String,
     pub group: Option<String>,
@@ -11,41 +13,70 @@ pub struct SbomPackageLicense {
     pub purl: Vec<Purl>,
     pub cpe: Vec<trustify_entity::cpe::Model>,
     /// List of all package license
-    pub license_text: Option<String>,
+    pub license_declared_text: Option<String>,
+    pub license_concluded_text: Option<String>,
 }
 
-#[derive(Debug, Clone, FromQueryResult)]
+#[derive(Debug, Clone, PartialEq, FromQueryResult)]
 pub struct Sbom {
     pub sbom_id: Uuid,
     pub node_id: String,
     pub sbom_namespace: String,
 }
 
-#[derive(Debug, Clone, FromQueryResult)]
+#[derive(Debug, Clone, PartialEq, FromQueryResult)]
 pub struct Purl {
     pub purl: CanonicalPurl,
 }
 
-#[derive(Debug, Clone, FromQueryResult)]
+#[derive(Debug, Clone, PartialEq, FromQueryResult)]
 pub struct SbomPackageLicenseBase {
     pub node_id: String,
     pub sbom_id: Uuid,
     pub name: String,
     pub group: Option<String>,
     pub version: Option<String>,
     pub license_text: Option<String>,
+    pub license_type: Option<LicenseCategory>,
 }
 
-#[derive(Debug, Clone, Default, FromQueryResult)]
+#[derive(Debug, Clone, Default, PartialEq, FromQueryResult)]
 pub struct SbomNameId {
     pub sbom_name: String,
     pub sbom_id: String,
+    pub labels: Labels,
 }
 
-#[derive(Debug, Clone, FromQueryResult)]
+#[derive(Debug, Clone, PartialEq, FromQueryResult)]
 pub struct ExtractedLicensingInfos {
     pub license_id: String,
     pub name: String,
     pub extracted_text: String,
     pub comment: String,
 }
+
+#[derive(Debug, Clone, PartialEq)]
+pub struct MergedSbomPackageLicense {
+    pub node_id: String,
+    pub sbom_id: Uuid,
+    pub name: String,
+    pub group: Option<String>,
+    pub version: Option<String>,
+    pub license_declared_text: Option<String>,
+    pub license_concluded_text: Option<String>,
+}
+
+impl MergedSbomPackageLicense {
+    pub fn apply_license(&mut self, license: &SbomPackageLicenseBase) {
+        if let Some(license_type) = &license.license_type {
+            match license_type {
+                LicenseCategory::Declared => {
+                    self.license_declared_text = license.license_text.clone();
+                }
+                LicenseCategory::Concluded => {
+                    self.license_concluded_text = license.license_text.clone();
+                }
+            }
+        }
+    }
+}

modules/fundamental/src/license/service/license_export.rs

@@ -111,7 +111,8 @@ impl LicenseExporter {
             "package version",
             "package purl",
             "package cpe",
-            "license",
+            "declared license",
+            "concluded license",
         ])?;
 
         for extracted_licensing_info in self.extracted_licensing_infos {
@@ -134,7 +135,7 @@ impl LicenseExporter {
             let purl_list = package
                 .purl
                 .into_iter()
-                .map(|purl| format!("{}", Purl::from(purl.purl)))
+                .map(|purl| format!("{}", Purl::from(purl.purl.clone())))
                 .collect::<Vec<_>>()
                 .join("\n");
 
@@ -146,7 +147,12 @@ impl LicenseExporter {
                 &package.version.unwrap_or_default(),
                 &purl_list,
                 &alternate_package_reference,
-                &package.license_text.unwrap_or_else(String::default),
+                &package
+                    .license_declared_text
+                    .unwrap_or_else(String::default),
+                &package
+                    .license_concluded_text
+                    .unwrap_or_else(String::default),
             ])?;
         }
 

modules/fundamental/src/license/service/mod.rs

@@ -3,33 +3,45 @@ use crate::{
     license::model::{
         SpdxLicenseDetails, SpdxLicenseSummary,
         sbom_license::{
-            ExtractedLicensingInfos, Purl, SbomNameId, SbomPackageLicense, SbomPackageLicenseBase,
+            ExtractedLicensingInfos, MergedSbomPackageLicense, Purl, SbomNameId,
+            SbomPackageLicense, SbomPackageLicenseBase,
         },
     },
 };
 use sea_orm::{ColumnTrait, ConnectionTrait, EntityTrait, QueryFilter, QuerySelect, RelationTrait};
 use sea_query::{Condition, JoinType};
+use std::collections::HashMap;
 use trustify_common::{
     db::query::Query,
     id::{Id, TrySelectForId},
     model::{Paginated, PaginatedResults},
 };
 use trustify_entity::{
     license, licensing_infos, qualified_purl, sbom, sbom_node, sbom_package, sbom_package_cpe_ref,
-    sbom_package_license::{self, LicenseCategory},
-    sbom_package_purl_ref,
+    sbom_package_license, sbom_package_purl_ref,
 };
+use uuid::Uuid;
 
 pub mod license_export;
 
 pub struct LicenseService {}
 
+#[derive(Debug, Clone)]
 pub struct LicenseExportResult {
     pub sbom_package_license: Vec<SbomPackageLicense>,
     pub extracted_licensing_infos: Vec<ExtractedLicensingInfos>,
     pub sbom_name_group_version: Option<SbomNameId>,
 }
 
+#[derive(Eq, Hash, PartialEq)]
+pub struct SbomPackageLicenseBasekey {
+    pub node_id: String,
+    pub sbom_id: Uuid,
+    pub name: String,
+    pub group: Option<String>,
+    pub version: Option<String>,
+}
+
 impl Default for LicenseService {
     fn default() -> Self {
         Self::new()
@@ -46,12 +58,13 @@ impl LicenseService {
         id: Id,
         connection: &C,
     ) -> Result<LicenseExportResult, Error> {
-        let name_version_group = sbom::Entity::find()
+        let name_version_group: Option<SbomNameId> = sbom::Entity::find()
             .try_filter(id.clone())?
             .join(JoinType::Join, sbom::Relation::SbomNode.def())
             .select_only()
             .column_as(sbom::Column::DocumentId, "sbom_id")
             .column_as(sbom_node::Column::Name, "sbom_name")
+            .column_as(sbom::Column::Labels, "labels")
             .into_model::<SbomNameId>()
             .one(connection)
             .await?;
@@ -68,23 +81,78 @@ impl LicenseService {
                 JoinType::InnerJoin,
                 sbom_package_license::Relation::License.def(),
             )
-            .filter(
-                Condition::all()
-                    .add(sbom_package_license::Column::LicenseType.eq(LicenseCategory::Declared)),
-            )
             .select_only()
             .column_as(sbom::Column::SbomId, "sbom_id")
             .column_as(sbom_package::Column::NodeId, "node_id")
             .column_as(sbom_node::Column::Name, "name")
             .column_as(sbom_package::Column::Group, "group")
             .column_as(sbom_package::Column::Version, "version")
             .column_as(license::Column::Text, "license_text")
+            .column_as(sbom_package_license::Column::LicenseType, "license_type")
             .into_model::<SbomPackageLicenseBase>()
             .all(connection)
             .await?;
 
+        fn merge_package_licenses_for_spdx(
+            package_licenses: Vec<SbomPackageLicenseBase>,
+        ) -> Vec<MergedSbomPackageLicense> {
+            let mut grouped: HashMap<SbomPackageLicenseBasekey, MergedSbomPackageLicense> =
+                HashMap::new();
+
+            for license in package_licenses {
+                let key = SbomPackageLicenseBasekey {
+                    node_id: license.node_id.clone(),
+                    sbom_id: license.sbom_id,
+                    name: license.name.clone(),
+                    group: license.group.clone(),
+                    version: license.version.clone(),
+                };
+
+                grouped
+                    .entry(key)
+                    .or_insert_with(|| MergedSbomPackageLicense {
+                        node_id: license.node_id.clone(),
+                        sbom_id: license.sbom_id,
+                        name: license.name.clone(),
+                        group: license.group.clone(),
+                        version: license.version.clone(),
+                        license_declared_text: None,
+                        license_concluded_text: None,
+                    })
+                    .apply_license(&license);
+            }
+            grouped.into_values().collect()
+        }
+
+        fn merge_package_licenses_for_cydx(
+            package_licenses: Vec<SbomPackageLicenseBase>,
+        ) -> Vec<MergedSbomPackageLicense> {
+            package_licenses
+                .into_iter()
+                .map(|cydx| MergedSbomPackageLicense {
+                    node_id: cydx.node_id,
+                    sbom_id: cydx.sbom_id,
+                    name: cydx.name,
+                    group: cydx.group,
+                    version: cydx.version,
+                    license_declared_text: cydx.license_text,
+                    license_concluded_text: None,
+                })
+                .collect()
+        }
+
+        let package_license_list = if let Some(nvg) = name_version_group.clone() {
+            if nvg.labels.0.get("type").map(String::as_str) == Some("spdx") {
+                merge_package_licenses_for_spdx(package_license)
+            } else {
+                merge_package_licenses_for_cydx(package_license)
+            }
+        } else {
+            merge_package_licenses_for_cydx(package_license)
+        };
+
         let mut sbom_package_list = Vec::new();
-        for spl in package_license {
+        for spl in package_license_list {
             let result_purl: Vec<Purl> = sbom_package_purl_ref::Entity::find()
                 .join(JoinType::Join, sbom_package_purl_ref::Relation::Purl.def())
                 .filter(
@@ -123,7 +191,8 @@ impl LicenseService {
                 version: spl.version,
                 purl: result_purl,
                 cpe: result_cpe,
-                license_text: spl.license_text,
+                license_declared_text: spl.license_declared_text,
+                license_concluded_text: spl.license_concluded_text,
             });
         }
         let license_info_list: Vec<ExtractedLicensingInfos> = licensing_infos::Entity::find()

modules/fundamental/tests/sbom/license.rs

@@ -58,6 +58,19 @@ async fn test_spdx(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
         sbom_package_license::Entity::find().all(&ctx.db).await?;
 
     assert_eq!(2084, license_result.sbom_package_license.len());
+
+    let package_license_result = license_result
+        .sbom_package_license
+        .iter()
+        .find(|sl| sl.name == "rubygem-bundler_ext");
+    assert_ne!(Option::None, package_license_result);
+    if let Some(plr) = package_license_result {
+        assert_eq!(Some("LicenseRef-0"), plr.license_declared_text.as_deref());
+        assert_eq!(
+            Some("Apache-2.0 AND MIT"),
+            plr.license_concluded_text.as_deref()
+        );
+    }
     assert_eq!(2084, sp.len());
     assert_eq!(4168, spl.len());
     assert_eq!(49, license_result.extracted_licensing_infos.len());
@@ -115,7 +128,9 @@ async fn test_license_export_spdx(ctx: &TrustifyContext) -> Result<(), anyhow::E
                 assert_eq!(1976, sbom_licenses.matches("pkg:npm/").count());
                 assert_eq!(2185, sbom_licenses.matches("pkg:golang/").count());
                 assert_eq!(1191, sbom_licenses.matches("pkg:rpm/").count());
-                assert_eq!(4664, sbom_licenses.matches("NOASSERTION").count());
+                assert_eq!(8972, sbom_licenses.matches("NOASSERTION").count());
+                assert_eq!(1, sbom_licenses.matches("declared license").count());
+                assert_eq!(1, sbom_licenses.matches("concluded license").count());
             }
             Ok(path) if path.file_name().unwrap_or_default() == "MTV-2.6_license_ref.csv" => {
                 licenses_ref_csv_found = true;