Merge pull request #29 from SemClone/feature/maven-parent-pom-resolution

oscarvalenzuelab · web-flow · commit 99c683714f12 · 2025-11-13T20:27:01.000-08:00
feat: Add Maven parent POM license resolution (v1.6.0)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,74 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.6.0] - 2025-01-13
+
+### Added
+
+#### Maven Parent POM License Resolution + Source Header Detection
+
+**Problem:**
+Maven packages often don't declare licenses directly in their package POM - the license can be in:
+1. **Source file headers** (e.g., `// Licensed under Apache-2.0`)
+2. **Parent POM** (declared in parent but not in package POM)
+
+When `download_and_scan_package` analyzed such packages, it would miss one or both of these sources.
+
+**Solution:**
+Enhanced Maven-specific license resolution to check ALL three sources and combine results:
+
+**How it works:**
+1. **Source file headers**: osslili scans all source files for license headers → populates `detected_licenses`
+2. **Package POM**: upmex extracts metadata from package POM → populates `declared_license` (if present)
+3. **Parent POM** (Maven-specific): If no `declared_license`, automatically triggers upmex with `--registry --api clearlydefined` to query ClearlyDefined which resolves parent POM licenses
+4. **Combines results**: Parent POM license added to `detected_licenses` if not already there
+5. Updates result with `license_source: "parent_pom_via_clearlydefined"`
+
+**Examples:**
+
+**Scenario 1: License only in parent POM**
+```python
+download_and_scan_package(purl="pkg:maven/org.example/library@1.0.0")
+
+# Before (v1.5.8):
+#   declared_license: None
+#   detected_licenses: []
+
+# After (v1.6.0):
+#   declared_license: "Apache-2.0"  # From parent POM
+#   detected_licenses: ["Apache-2.0"]
+#   metadata.license_source: "parent_pom_via_clearlydefined"
+```
+
+**Scenario 2: Licenses in BOTH source headers AND parent POM**
+```python
+download_and_scan_package(purl="pkg:maven/org.example/another@2.0.0")
+
+# Result:
+#   declared_license: "Apache-2.0"  # From parent POM
+#   detected_licenses: ["MIT", "Apache-2.0"]  # MIT from source, Apache from parent
+#   scan_summary: "Deep scan completed. found 2 licenses. (includes parent POM license). ..."
+```
+
+**Changes:**
+- mcp_semclone/server.py:
+  * Added detailed 3-source license detection comment (lines 2059-2068)
+  * Maven parent POM resolution with ClearlyDefined API integration
+  * Combines parent POM license with source header licenses
+  * Enhanced summary showing "(includes parent POM license)"
+- Tool docstring: Documented Maven-specific behavior with all three sources
+- tests/test_server.py:
+  * Added test_maven_parent_pom_resolution (parent POM only)
+  * Added test_maven_combined_source_and_parent_pom_licenses (both sources)
+
+**Impact:**
+- ✅ Maven packages now report licenses from ALL sources (source headers + parent POM)
+- ✅ Source header licenses (MIT, BSD) combined with parent POM licenses (Apache-2.0)
+- ✅ Automatic detection - no user configuration needed
+- ✅ Transparent tracking with `license_source` metadata field
+- ✅ Enhanced summary indicates when parent POM was used
+- ✅ Falls back gracefully if parent POM resolution fails
+
 ## [1.5.8] - 2025-01-13
 
 ### Fixed & Redesigned
diff --git a/examples/strands-agent-ollama/requirements.txt b/examples/strands-agent-ollama/requirements.txt
@@ -2,7 +2,7 @@
 # Python 3.10+ required
 
 # MCP server with SEMCL.ONE compliance tools
-mcp-semclone>=1.5.8
+mcp-semclone>=1.6.0
 
 # MCP SDK for connecting to MCP servers
 mcp>=1.0.0
diff --git a/mcp_semclone/__init__.py b/mcp_semclone/__init__.py
@@ -1,5 +1,5 @@
 """MCP SEMCL.ONE - Model Context Protocol server for OSS compliance."""
 
-__version__ = "1.5.8"
+__version__ = "1.6.0"
 __author__ = "Oscar Valenzuela B."
 __email__ = "oscar.valenzuela.b@gmail.com"
diff --git a/mcp_semclone/server.py b/mcp_semclone/server.py
@@ -1841,14 +1841,16 @@ async def download_and_scan_package(
     **Workflow (tries methods in order until sufficient data is collected):**
     1. **Primary**: Use purl2notices to download and analyze (fastest, most comprehensive)
     2. **Deep scan**: If incomplete, use purl2src to get download URL → download artifact → run osslili for deep license scanning + upmex for metadata
+       - **Maven-specific**: If license still missing for Maven packages, uses upmex with --registry --api clearlydefined to resolve parent POM licenses
     3. **Online fallback**: If still incomplete, use upmex --api clearlydefined/purldb for online metadata
 
     **What this tool does:**
     - Downloads the actual package source code from npm/PyPI/Maven/etc registries
     - Performs comprehensive license and copyright analysis
     - Extracts package metadata (name, version, homepage, description)
-    - Scans ALL source files for embedded licenses (not just package.json/setup.py)
+    - Scans ALL source files for embedded licenses (not just package.json/setup.py/pom.xml)
     - Returns copyright statements found in actual source code
+    - **Maven packages**: Automatically resolves parent POM licenses when not declared in package POM
 
     **When to use this tool:**
     - Package metadata is incomplete or missing (e.g., "UNKNOWN" license in PyPI)
@@ -2054,10 +2056,57 @@ async def download_and_scan_package(
                                 result["declared_license"] = upmex_data["license"]
                             logger.info(f"upmex metadata extracted")
 
+                        # MAVEN SPECIFIC: Check parent POM for declared license
+                        # License can be in:
+                        # 1. Source file headers (already checked by osslili → detected_licenses)
+                        # 2. Package POM (already checked by upmex → declared_license)
+                        # 3. Parent POM (need to check with --registry --api clearlydefined)
+                        #
+                        # We check parent POM if:
+                        # - No declared_license found in package POM, OR
+                        # - We have detected_licenses from source but no official declaration
+                        if purl.startswith("pkg:maven/") and not result["declared_license"]:
+                            logger.info(f"Maven package missing declared license (may have detected licenses from source), checking parent POM")
+                            try:
+                                upmex_maven_result = _run_tool("upmex", [
+                                    "extract",
+                                    str(download_file),
+                                    "--format", "json",
+                                    "--registry",
+                                    "--api", "clearlydefined"
+                                ])
+
+                                if upmex_maven_result.returncode == 0 and upmex_maven_result.stdout:
+                                    maven_data = json.loads(upmex_maven_result.stdout)
+                                    if maven_data.get("license"):
+                                        result["declared_license"] = maven_data["license"]
+                                        result["metadata"]["license"] = maven_data["license"]
+                                        result["metadata"]["license_source"] = "parent_pom_via_clearlydefined"
+
+                                        # Add to detected_licenses if not already there
+                                        if maven_data["license"] not in result["detected_licenses"]:
+                                            result["detected_licenses"].append(maven_data["license"])
+
+                                        logger.info(f"Maven parent POM license found: {maven_data['license']}")
+                                        if result["detected_licenses"]:
+                                            logger.info(f"Combined with source header licenses: {result['detected_licenses']}")
+                            except Exception as e:
+                                logger.warning(f"Maven parent POM resolution failed: {e}")
+
                         # If we got data from deep scan, mark as successful
                         if result["detected_licenses"] or result["metadata"]:
                             result["method_used"] = "deep_scan"
-                            result["scan_summary"] = f"Deep scan completed. Downloaded and analyzed with osslili + upmex. Found {len(result['detected_licenses'])} licenses and {len(result['copyright_statements'])} copyrights."
+
+                            # Build summary showing license sources
+                            summary_parts = ["Deep scan completed"]
+                            if result["detected_licenses"]:
+                                summary_parts.append(f"found {len(result['detected_licenses'])} licenses")
+                                if result["metadata"].get("license_source") == "parent_pom_via_clearlydefined":
+                                    summary_parts.append("(includes parent POM license)")
+                            if result["copyright_statements"]:
+                                summary_parts.append(f"{len(result['copyright_statements'])} copyrights")
+
+                            result["scan_summary"] = ". ".join(summary_parts) + "."
                             return result
 
                     elif fallback_cmd:
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "mcp-semclone"
-version = "1.5.8"
+version = "1.6.0"
 description = "Model Context Protocol server for SEMCL.ONE OSS compliance toolchain"
 readme = "README.md"
 requires-python = ">=3.10"
diff --git a/tests/test_server.py b/tests/test_server.py
@@ -727,3 +727,142 @@ async def test_keep_download(self):
 
             # Verify cleanup was NOT called (keep_download=True)
             mock_rmtree.assert_not_called()
+
+    @pytest.mark.asyncio
+    async def test_maven_parent_pom_resolution(self):
+        """Test Maven parent POM license resolution when package POM has no license."""
+        # Mock purl2src output for Maven package
+        purl2src_data = [{
+            "purl": "pkg:maven/org.example/library@1.0.0",
+            "download_url": "https://repo1.maven.org/maven2/org/example/library/1.0.0/library-1.0.0.jar",
+            "validated": True
+        }]
+
+        # Mock osslili output (no licenses found in JAR)
+        osslili_data = {
+            "components": []
+        }
+
+        # Mock upmex output (no license in package POM)
+        upmex_no_license = {
+            "name": "library",
+            "version": "1.0.0"
+            # No license field
+        }
+
+        # Mock upmex with --registry --api clearlydefined (finds parent POM license)
+        upmex_with_parent = {
+            "name": "library",
+            "version": "1.0.0",
+            "license": "Apache-2.0"  # Found in parent POM
+        }
+
+        with patch("mcp_semclone.server._run_tool") as mock_run, \
+             patch("urllib.request.urlretrieve") as mock_download, \
+             patch("tempfile.mkdtemp", return_value="/tmp/test"), \
+             patch("pathlib.Path.exists", return_value=True), \
+             patch("shutil.rmtree"):
+
+            call_count = {"upmex": 0}
+
+            def run_tool_side_effect(tool_name, args, *a, **kw):
+                if tool_name == "purl2notices":
+                    # purl2notices fails
+                    return MagicMock(returncode=1, stdout="", stderr="failed")
+                elif tool_name == "purl2src":
+                    return MagicMock(returncode=0, stdout=json.dumps(purl2src_data))
+                elif tool_name == "osslili":
+                    return MagicMock(returncode=0, stdout=json.dumps(osslili_data))
+                elif tool_name == "upmex":
+                    call_count["upmex"] += 1
+                    # First call: no license
+                    if call_count["upmex"] == 1:
+                        return MagicMock(returncode=0, stdout=json.dumps(upmex_no_license))
+                    # Second call with --registry --api: has license from parent POM
+                    elif "--registry" in args and "--api" in args:
+                        return MagicMock(returncode=0, stdout=json.dumps(upmex_with_parent))
+                return MagicMock(returncode=1, stdout="")
+
+            mock_run.side_effect = run_tool_side_effect
+
+            result = await server_module.download_and_scan_package(
+                purl="pkg:maven/org.example/library@1.0.0"
+            )
+
+            # Verify Maven parent POM resolution was triggered
+            assert result["declared_license"] == "Apache-2.0"
+            assert result["metadata"].get("license") == "Apache-2.0"
+            assert result["metadata"].get("license_source") == "parent_pom_via_clearlydefined"
+            
+            # Verify upmex was called twice (once normal, once with --registry --api)
+            assert call_count["upmex"] == 2
+
+    @pytest.mark.asyncio
+    async def test_maven_combined_source_and_parent_pom_licenses(self):
+        """Test Maven package with licenses in both source headers AND parent POM."""
+        # Mock purl2src output
+        purl2src_data = [{
+            "purl": "pkg:maven/org.example/library@1.0.0",
+            "download_url": "https://repo1.maven.org/maven2/org/example/library/1.0.0/library-1.0.0.jar",
+            "validated": True
+        }]
+
+        # Mock osslili output (finds MIT in source file headers)
+        osslili_data = {
+            "components": [{
+                "licenses": [{"license": {"id": "MIT"}}],
+                "properties": [{"name": "copyright", "value": "Copyright 2024"}]
+            }]
+        }
+
+        # Mock upmex output (no license in package POM)
+        upmex_no_license = {
+            "name": "library",
+            "version": "1.0.0"
+        }
+
+        # Mock upmex with --registry --api (finds Apache-2.0 in parent POM)
+        upmex_with_parent = {
+            "name": "library",
+            "version": "1.0.0",
+            "license": "Apache-2.0"
+        }
+
+        with patch("mcp_semclone.server._run_tool") as mock_run, \
+             patch("urllib.request.urlretrieve"), \
+             patch("tempfile.mkdtemp", return_value="/tmp/test"), \
+             patch("pathlib.Path.exists", return_value=True), \
+             patch("shutil.rmtree"):
+
+            call_count = {"upmex": 0}
+
+            def run_tool_side_effect(tool_name, args, *a, **kw):
+                if tool_name == "purl2notices":
+                    return MagicMock(returncode=1, stdout="", stderr="failed")
+                elif tool_name == "purl2src":
+                    return MagicMock(returncode=0, stdout=json.dumps(purl2src_data))
+                elif tool_name == "osslili":
+                    return MagicMock(returncode=0, stdout=json.dumps(osslili_data))
+                elif tool_name == "upmex":
+                    call_count["upmex"] += 1
+                    if call_count["upmex"] == 1:
+                        return MagicMock(returncode=0, stdout=json.dumps(upmex_no_license))
+                    elif "--registry" in args and "--api" in args:
+                        return MagicMock(returncode=0, stdout=json.dumps(upmex_with_parent))
+                return MagicMock(returncode=1, stdout="")
+
+            mock_run.side_effect = run_tool_side_effect
+
+            result = await server_module.download_and_scan_package(
+                purl="pkg:maven/org.example/library@1.0.0"
+            )
+
+            # Verify BOTH licenses are present
+            assert result["declared_license"] == "Apache-2.0"  # From parent POM
+            assert "MIT" in result["detected_licenses"]  # From source headers
+            assert "Apache-2.0" in result["detected_licenses"]  # Added from parent POM
+            assert len(result["detected_licenses"]) == 2  # Both licenses
+            assert result["metadata"].get("license_source") == "parent_pom_via_clearlydefined"
+            
+            # Verify summary mentions parent POM
+            assert "parent pom" in result["scan_summary"].lower()
