Removal of purl_license_assertions and cpe_license_assertions

[ctron]

With the current work on the license exporter feature, there will be a new table being added: sbom_package_license. This will contain a reference of an SBOM package/component to a license.

We currently have two similar tables: purl_license_assertion and cpe_license_assertion. Both capture the same information. However, instead of referencing the SBOM package/component, they reference PURLs and CPEs. But still, only make a statement in the context of an SBOM.

As we currently already have PURL and CPE aliases for SBOM packages/components, that doesn't seem to make much sense. For PURLs, there's actually the special case, that we only make a statement for a PURL without its qualifiers. Which might actually not be correct.

Proposal

We need to add the sbom_package_license table in any case. Otherwise we could not store license information for SBOM packages/components which neither have a PURL nor a CPE.

We drop the purl_license_assertion and cpe_license_assertion tables, as they are redundant and most likely bugged.

Implications

Simply dropping those tables would require us to also drop the endpoints making use of those tables. @bxf12315 anaylized this can came to the following conclusion:

1. The affected parts of the license service.13 The affected endpoints are [get("/v2/license/{uuid}")] and [get("/v2/license/{uuid}/purl")].6
2. The affected parts of purl service.4 The affect endpoint are [get("/v2/purl/{key}")].5

The question is, do we need those endpoints at the moment? Maybe a question to @carlosthe19916 @JimFuller-RedHat @jcrossley3

Plan A

If the answer to that is "no", then I would say we simply remove them. And add whatever we need in the future.

Plan B

If the answer to that is "yes", then I would say we drop those tables, and re-implement the logic using a table join between the sbom_package, purl/cpe (refs) and sbom_package_license tables.

This would have the impact that we need additional joins when doing a query, but we'd have less data stored.

I that case, I'd also say that we split the task into:

1. Adding the new table, implementing the license exporter
2. Dropping the purl_license_assert and cpe_license_assertion table, implementing the join

[carlosthe19916]

As far as I know the goal for the next release, as per compatibility with RHTPA 1.3.1, is only to have an endpoint to download the licenses for a particular SBOM. So having something like /api/v2/sbom/{id}/download-licenses is good enough. All the other related license endpoints are not yet used by the UI and will require appropriate planing after 2.0.

The affected parts of the license service.13 The affected endpoints are [get("/v2/license/{uuid}")] and [get("/v2/license/{uuid}/purl")].6
The affected parts of purl service.4 The affect endpoint are [get("/v2/purl/{key}")].5

Currently the UI does use /api/v2/purl/{key} for fetching the details of Purls and render data. I see the response of this endpoint contains a field licenses, but the UI does not have any use, yet, for that field. As long as only the field licenses is manipulated it won't have any impact on the UI.

[bxf12315]

Can you help me explain what 'PurlDetails' is? Where is it used? Thanks

[carlosthe19916]

The Search Page has a Tab called "Packages", If a user selects an element of that table then he is redirected to the Details Page of the selected element. /api/v2/purl/{key} is used for populating the details page of a Package.

[bxf12315]

Okay, the word "purl" here seems to mean "package." However, according to the new requirement from https://issues.redhat.com/browse/TC-1162, the license information needs to be displayed. Therefore, the licenses may not be removed.

[mrizzi]

@carlosthe19916 thanks for the feedback.

@bxf12315 it means it's safe now to move forward with:

• removing the get("/v2/license/{uuid}") and get("/v2/license/{uuid}/purl") endpoints
• hard coding an empty licenses field array in the /api/v2/purl/{key} endpoint
• dropping the purl_license_assert and cpe_license_assertion table tables and add the new sbom_package_license table

[mrizzi]

@bxf12315 re the endpoint, please use /api/v2/sbom/{id}/license-export

[mrizzi]

Done in #1331