feat: refactored license type management in CSV license export (#10)

Signed-off-by: mrizzi <[email protected]>

Author: mrizzi

entity/src/sbom_package_license.rs

@@ -27,7 +27,7 @@ pub enum Relation {
     License,
 }
 
-#[derive(Copy, Clone, Debug, Eq, PartialEq, EnumIter, DeriveActiveEnum)]
+#[derive(Copy, Clone, Debug, strum::Display, Eq, PartialEq, EnumIter, DeriveActiveEnum)]
 #[sea_orm(rs_type = "i32", db_type = "Integer")]
 pub enum LicenseCategory {
     Declared = 0,

modules/fundamental/src/license/model/sbom_license.rs

@@ -1,35 +1,33 @@
 use sea_orm::FromQueryResult;
-use trustify_entity::{
-    labels::Labels, qualified_purl::CanonicalPurl, sbom_package_license::LicenseCategory,
-};
+use trustify_entity::{qualified_purl::CanonicalPurl, sbom_package_license::LicenseCategory};
 use uuid::Uuid;
 
-#[derive(Debug, Clone, PartialEq, Default)]
+#[derive(Debug, Clone, Default)]
 pub struct SbomPackageLicense {
     pub name: String,
     pub group: Option<String>,
     pub version: Option<String>,
     /// package package URL
     pub purl: Vec<Purl>,
     pub cpe: Vec<trustify_entity::cpe::Model>,
-    /// List of all package license
-    pub license_declared_text: Option<String>,
-    pub license_concluded_text: Option<String>,
+    /// List of all package licenses with their types
+    pub license_text: Option<String>,
+    pub license_type: Option<LicenseCategory>,
 }
 
-#[derive(Debug, Clone, PartialEq, FromQueryResult)]
+#[derive(Debug, Clone, FromQueryResult)]
 pub struct Sbom {
     pub sbom_id: Uuid,
     pub node_id: String,
     pub sbom_namespace: String,
 }
 
-#[derive(Debug, Clone, PartialEq, FromQueryResult)]
+#[derive(Debug, Clone, FromQueryResult)]
 pub struct Purl {
     pub purl: CanonicalPurl,
 }
 
-#[derive(Debug, Clone, PartialEq, FromQueryResult)]
+#[derive(Debug, Clone, FromQueryResult)]
 pub struct SbomPackageLicenseBase {
     pub node_id: String,
     pub sbom_id: Uuid,
@@ -40,43 +38,16 @@ pub struct SbomPackageLicenseBase {
     pub license_type: Option<LicenseCategory>,
 }
 
-#[derive(Debug, Clone, Default, PartialEq, FromQueryResult)]
+#[derive(Debug, Clone, Default, FromQueryResult)]
 pub struct SbomNameId {
     pub sbom_name: String,
     pub sbom_id: String,
-    pub labels: Labels,
 }
 
-#[derive(Debug, Clone, PartialEq, FromQueryResult)]
+#[derive(Debug, Clone, FromQueryResult)]
 pub struct ExtractedLicensingInfos {
     pub license_id: String,
     pub name: String,
     pub extracted_text: String,
     pub comment: String,
 }
-
-#[derive(Debug, Clone, PartialEq)]
-pub struct MergedSbomPackageLicense {
-    pub node_id: String,
-    pub sbom_id: Uuid,
-    pub name: String,
-    pub group: Option<String>,
-    pub version: Option<String>,
-    pub license_declared_text: Option<String>,
-    pub license_concluded_text: Option<String>,
-}
-
-impl MergedSbomPackageLicense {
-    pub fn apply_license(&mut self, license: &SbomPackageLicenseBase) {
-        if let Some(license_type) = &license.license_type {
-            match license_type {
-                LicenseCategory::Declared => {
-                    self.license_declared_text = license.license_text.clone();
-                }
-                LicenseCategory::Concluded => {
-                    self.license_concluded_text = license.license_text.clone();
-                }
-            }
-        }
-    }
-}

modules/fundamental/src/license/service/license_export.rs

@@ -10,6 +10,7 @@ use csv::{Writer, WriterBuilder};
 use flate2::{Compression, write::GzEncoder};
 use tar::Builder;
 use trustify_common::purl::Purl;
+use trustify_entity::sbom_package_license::LicenseCategory;
 
 type CSVs = (Writer<Vec<u8>>, Writer<Vec<u8>>);
 
@@ -111,8 +112,8 @@ impl LicenseExporter {
             "package version",
             "package purl",
             "package cpe",
-            "declared license",
-            "concluded license",
+            "license",
+            "license type",
         ])?;
 
         for extracted_licensing_info in self.extracted_licensing_infos {
@@ -135,7 +136,7 @@ impl LicenseExporter {
             let purl_list = package
                 .purl
                 .into_iter()
-                .map(|purl| format!("{}", Purl::from(purl.purl.clone())))
+                .map(|purl| format!("{}", Purl::from(purl.purl)))
                 .collect::<Vec<_>>()
                 .join("\n");
 
@@ -147,12 +148,11 @@ impl LicenseExporter {
                 &package.version.unwrap_or_default(),
                 &purl_list,
                 &alternate_package_reference,
+                &package.license_text.unwrap_or_else(String::default),
                 &package
-                    .license_declared_text
-                    .unwrap_or_else(String::default),
-                &package
-                    .license_concluded_text
-                    .unwrap_or_else(String::default),
+                    .license_type
+                    .unwrap_or(LicenseCategory::Declared)
+                    .to_string(),
             ])?;
         }
 

modules/fundamental/src/license/service/mod.rs

@@ -3,14 +3,12 @@ use crate::{
     license::model::{
         SpdxLicenseDetails, SpdxLicenseSummary,
         sbom_license::{
-            ExtractedLicensingInfos, MergedSbomPackageLicense, Purl, SbomNameId,
-            SbomPackageLicense, SbomPackageLicenseBase,
+            ExtractedLicensingInfos, Purl, SbomNameId, SbomPackageLicense, SbomPackageLicenseBase,
         },
     },
 };
 use sea_orm::{ColumnTrait, ConnectionTrait, EntityTrait, QueryFilter, QuerySelect, RelationTrait};
 use sea_query::{Condition, JoinType};
-use std::collections::HashMap;
 use trustify_common::{
     db::query::Query,
     id::{Id, TrySelectForId},
@@ -20,28 +18,17 @@ use trustify_entity::{
     license, licensing_infos, qualified_purl, sbom, sbom_node, sbom_package, sbom_package_cpe_ref,
     sbom_package_license, sbom_package_purl_ref,
 };
-use uuid::Uuid;
 
 pub mod license_export;
 
 pub struct LicenseService {}
 
-#[derive(Debug, Clone)]
 pub struct LicenseExportResult {
     pub sbom_package_license: Vec<SbomPackageLicense>,
     pub extracted_licensing_infos: Vec<ExtractedLicensingInfos>,
     pub sbom_name_group_version: Option<SbomNameId>,
 }
 
-#[derive(Eq, Hash, PartialEq)]
-pub struct SbomPackageLicenseBasekey {
-    pub node_id: String,
-    pub sbom_id: Uuid,
-    pub name: String,
-    pub group: Option<String>,
-    pub version: Option<String>,
-}
-
 impl Default for LicenseService {
     fn default() -> Self {
         Self::new()
@@ -64,7 +51,6 @@ impl LicenseService {
             .select_only()
             .column_as(sbom::Column::DocumentId, "sbom_id")
             .column_as(sbom_node::Column::Name, "sbom_name")
-            .column_as(sbom::Column::Labels, "labels")
             .into_model::<SbomNameId>()
             .one(connection)
             .await?;
@@ -93,66 +79,8 @@ impl LicenseService {
             .all(connection)
             .await?;
 
-        fn merge_package_licenses_for_spdx(
-            package_licenses: Vec<SbomPackageLicenseBase>,
-        ) -> Vec<MergedSbomPackageLicense> {
-            let mut grouped: HashMap<SbomPackageLicenseBasekey, MergedSbomPackageLicense> =
-                HashMap::new();
-
-            for license in package_licenses {
-                let key = SbomPackageLicenseBasekey {
-                    node_id: license.node_id.clone(),
-                    sbom_id: license.sbom_id,
-                    name: license.name.clone(),
-                    group: license.group.clone(),
-                    version: license.version.clone(),
-                };
-
-                grouped
-                    .entry(key)
-                    .or_insert_with(|| MergedSbomPackageLicense {
-                        node_id: license.node_id.clone(),
-                        sbom_id: license.sbom_id,
-                        name: license.name.clone(),
-                        group: license.group.clone(),
-                        version: license.version.clone(),
-                        license_declared_text: None,
-                        license_concluded_text: None,
-                    })
-                    .apply_license(&license);
-            }
-            grouped.into_values().collect()
-        }
-
-        fn merge_package_licenses_for_cydx(
-            package_licenses: Vec<SbomPackageLicenseBase>,
-        ) -> Vec<MergedSbomPackageLicense> {
-            package_licenses
-                .into_iter()
-                .map(|cydx| MergedSbomPackageLicense {
-                    node_id: cydx.node_id,
-                    sbom_id: cydx.sbom_id,
-                    name: cydx.name,
-                    group: cydx.group,
-                    version: cydx.version,
-                    license_declared_text: cydx.license_text,
-                    license_concluded_text: None,
-                })
-                .collect()
-        }
-
-        let package_license_list = if let Some(nvg) = name_version_group.clone() {
-            if nvg.labels.0.get("type").map(String::as_str) == Some("spdx") {
-                merge_package_licenses_for_spdx(package_license)
-            } else {
-                merge_package_licenses_for_cydx(package_license)
-            }
-        } else {
-            merge_package_licenses_for_cydx(package_license)
-        };
-
         let mut sbom_package_list = Vec::new();
-        for spl in package_license_list {
+        for spl in package_license {
             let result_purl: Vec<Purl> = sbom_package_purl_ref::Entity::find()
                 .join(JoinType::Join, sbom_package_purl_ref::Relation::Purl.def())
                 .filter(
@@ -191,8 +119,8 @@ impl LicenseService {
                 version: spl.version,
                 purl: result_purl,
                 cpe: result_cpe,
-                license_declared_text: spl.license_declared_text,
-                license_concluded_text: spl.license_concluded_text,
+                license_text: spl.license_text,
+                license_type: spl.license_type,
             });
         }
         let license_info_list: Vec<ExtractedLicensingInfos> = licensing_infos::Entity::find()

modules/fundamental/tests/sbom/license.rs

@@ -4,6 +4,7 @@ use std::io::Read;
 use tar::Archive;
 use test_context::test_context;
 use test_log::test;
+use trustify_entity::sbom_package_license::LicenseCategory;
 use trustify_entity::{sbom_package, sbom_package_license};
 use trustify_module_fundamental::license::{
     model::sbom_license::SbomNameId,
@@ -57,20 +58,35 @@ async fn test_spdx(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
     let spl: Vec<sbom_package_license::Model> =
         sbom_package_license::Entity::find().all(&ctx.db).await?;
 
-    assert_eq!(2084, license_result.sbom_package_license.len());
+    assert_eq!(4168, license_result.sbom_package_license.len());
 
     let package_license_result = license_result
         .sbom_package_license
-        .iter()
-        .find(|sl| sl.name == "rubygem-bundler_ext");
-    assert_ne!(Option::None, package_license_result);
-    if let Some(plr) = package_license_result {
-        assert_eq!(Some("LicenseRef-0"), plr.license_declared_text.as_deref());
-        assert_eq!(
-            Some("Apache-2.0 AND MIT"),
-            plr.license_concluded_text.as_deref()
-        );
-    }
+        .into_iter()
+        .filter(|sl| sl.name == "rubygem-bundler_ext")
+        .collect::<Vec<_>>();
+    // there are 4 with the same name but different qualifiers: two has 'arch=src' and
+    // the other two have 'arch=noarch'.
+    // Each qualifier appears twice: once for the declared license and once for the concluded one.
+    assert_eq!(4, package_license_result.len());
+    assert_eq!(
+        2,
+        package_license_result
+            .iter()
+            .filter(|plr| plr.license_text == Some("LicenseRef-0".to_string())
+                && plr.license_type == Some(LicenseCategory::Declared))
+            .count()
+    );
+    assert_eq!(
+        2,
+        package_license_result
+            .iter()
+            .filter(
+                |plr| plr.license_text == Some("Apache-2.0 AND MIT".to_string())
+                    && plr.license_type == Some(LicenseCategory::Concluded)
+            )
+            .count()
+    );
     assert_eq!(2084, sp.len());
     assert_eq!(4168, spl.len());
     assert_eq!(49, license_result.extracted_licensing_infos.len());
@@ -100,7 +116,7 @@ async fn test_license_export_spdx(ctx: &TrustifyContext) -> Result<(), anyhow::E
         license_result.extracted_licensing_infos.clone(),
     );
     assert_eq!(45, license_result.extracted_licensing_infos.len());
-    assert_eq!(5388, license_result.sbom_package_license.len());
+    assert_eq!(10776, license_result.sbom_package_license.len());
 
     let compressed_data = exporter
         .generate()
@@ -117,20 +133,20 @@ async fn test_license_export_spdx(ctx: &TrustifyContext) -> Result<(), anyhow::E
                 licenses_csv_found = true;
                 let mut sbom_licenses = String::new();
                 entry.read_to_string(&mut sbom_licenses)?;
-                assert_eq!(10777, sbom_licenses.matches("MTV-2.6").count());
+                assert_eq!(21554, sbom_licenses.matches("MTV-2.6").count());
                 assert_eq!(
-                    5388,
+                    10776,
                     sbom_licenses
                         .matches("https://access.redhat.com/security/data/sbom/spdx/MTV-2.6")
                         .count()
                 );
-                assert_eq!(28, sbom_licenses.matches("pkg:oci/").count());
-                assert_eq!(1976, sbom_licenses.matches("pkg:npm/").count());
-                assert_eq!(2185, sbom_licenses.matches("pkg:golang/").count());
-                assert_eq!(1191, sbom_licenses.matches("pkg:rpm/").count());
+                assert_eq!(56, sbom_licenses.matches("pkg:oci/").count());
+                assert_eq!(3952, sbom_licenses.matches("pkg:npm/").count());
+                assert_eq!(4370, sbom_licenses.matches("pkg:golang/").count());
+                assert_eq!(2382, sbom_licenses.matches("pkg:rpm/").count());
                 assert_eq!(8972, sbom_licenses.matches("NOASSERTION").count());
-                assert_eq!(1, sbom_licenses.matches("declared license").count());
-                assert_eq!(1, sbom_licenses.matches("concluded license").count());
+                assert_eq!(5388, sbom_licenses.matches("Declared").count());
+                assert_eq!(5388, sbom_licenses.matches("Concluded").count());
             }
             Ok(path) if path.file_name().unwrap_or_default() == "MTV-2.6_license_ref.csv" => {
                 licenses_ref_csv_found = true;