Add LicenseConcluded and Suppliers to ScannedComponent (#1684)

* Add LicenseConcluded and Suppliers to ScannedComponent

* further updates

* test update

* remove duped

* update comment

* pr feedback

* update casing

* pr feedback

Author: pauld-msft

docs/schema/manifest.schema.json

@@ -364,6 +364,27 @@
               "null"
             ]
           }
+        },
+        "licensesConcluded": {
+          "type": [
+            "array",
+            "null"
+          ],
+          "items": {
+            "type": [
+              "string",
+              "null"
+            ]
+          }
+        },
+        "suppliers": {
+          "type": [
+            "array",
+            "null"
+          ],
+          "items": {
+            "$ref": "#/definitions/ActorInfo"
+          }
         }
       },
       "required": [

src/Microsoft.ComponentDetection.Common/DependencyGraph/ComponentRecorder.cs

@@ -48,11 +48,38 @@ public IEnumerable<DetectedComponent> GetDetectedComponents()
             .GroupBy(x => x.Component.Id)
             .Select(grouping =>
             {
-                // We pick a winner here -- any stateful props could get lost at this point. Only stateful prop still outstanding is ContainerDetails.
+                // We pick a winner here -- any stateful props could get lost at this point.
                 var winningDetectedComponent = grouping.First();
+
+                HashSet<string> mergedLicenses = null;
+                HashSet<ActorInfo> mergedSuppliers = null;
+
                 foreach (var component in grouping.Skip(1))
                 {
                     winningDetectedComponent.ContainerDetailIds.UnionWith(component.ContainerDetailIds);
+
+                    // Defensive: merge in case different file recorders set different values for the same component.
+                    if (component.LicensesConcluded != null)
+                    {
+                        mergedLicenses ??= new HashSet<string>(winningDetectedComponent.LicensesConcluded ?? [], StringComparer.OrdinalIgnoreCase);
+                        mergedLicenses.UnionWith(component.LicensesConcluded);
+                    }
+
+                    if (component.Suppliers != null)
+                    {
+                        mergedSuppliers ??= new HashSet<ActorInfo>(winningDetectedComponent.Suppliers ?? []);
+                        mergedSuppliers.UnionWith(component.Suppliers);
+                    }
+                }
+
+                if (mergedLicenses != null)
+                {
+                    winningDetectedComponent.LicensesConcluded = mergedLicenses.Where(x => x != null).OrderBy(x => x, StringComparer.OrdinalIgnoreCase).ToList();
+                }
+
+                if (mergedSuppliers != null)
+                {
+                    winningDetectedComponent.Suppliers = mergedSuppliers.Where(s => s != null).OrderBy(s => s.Name).ThenBy(s => s.Type).ToList();
                 }
 
                 return winningDetectedComponent;

src/Microsoft.ComponentDetection.Contracts/BcdeModels/ScannedComponent.cs

@@ -40,4 +40,14 @@ public class ScannedComponent
 
     [JsonPropertyName("targetFrameworks")]
     public ISet<string> TargetFrameworks { get; set; }
+
+    [JsonProperty("licensesConcluded", NullValueHandling = NullValueHandling.Ignore)]
+    [JsonPropertyName("licensesConcluded")]
+    [System.Text.Json.Serialization.JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    public IList<string> LicensesConcluded { get; set; }
+
+    [JsonProperty("suppliers", NullValueHandling = NullValueHandling.Ignore)]
+    [JsonPropertyName("suppliers")]
+    [System.Text.Json.Serialization.JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    public IList<TypedComponent.ActorInfo> Suppliers { get; set; }
 }

src/Microsoft.ComponentDetection.Contracts/DetectedComponent.cs

@@ -68,6 +68,12 @@ public DetectedComponent(TypedComponent.TypedComponent component, IComponentDete
     /// <summary> Gets Target Frameworks where the component was consumed.</summary>
     public ConcurrentHashSet<string> TargetFrameworks { get; set; }
 
+    /// <summary>Gets or sets Licenses resolved/concluded (e.g., via ClearlyDefined or curation).</summary>
+    public IList<string> LicensesConcluded { get; set; }
+
+    /// <summary>Gets or sets the entity/entities that supplied/published this component.</summary>
+    public IList<TypedComponent.ActorInfo> Suppliers { get; set; }
+
     private string DebuggerDisplay => $"{this.Component.DebuggerDisplay}";
 
     /// <summary>Adds a filepath to the FilePaths hashset for this detected component.

src/Microsoft.ComponentDetection.Contracts/TypedComponent/ActorInfo.cs

@@ -11,7 +11,7 @@ namespace Microsoft.ComponentDetection.Contracts.TypedComponent;
 /// Aligned with SPDX 3.0.1 Agent subclasses.
 /// </summary>
 [JsonObject(MemberSerialization.OptOut, NamingStrategyType = typeof(CamelCaseNamingStrategy))]
-public class ActorInfo
+public class ActorInfo : IEquatable<ActorInfo>
 {
     [SystemTextJson.JsonPropertyName("name")]
     [SystemTextJson.JsonIgnore(Condition = SystemTextJson.JsonIgnoreCondition.WhenWritingNull)]
@@ -35,4 +35,46 @@ public class ActorInfo
     [SystemTextJson.JsonIgnore(Condition = SystemTextJson.JsonIgnoreCondition.WhenWritingNull)]
     [JsonProperty("type", NullValueHandling = NullValueHandling.Ignore)]
     public string? Type { get; set; }
+
+    /// <inheritdoc/>
+    public bool Equals(ActorInfo? other)
+    {
+        if (other is null)
+        {
+            return false;
+        }
+
+        if (ReferenceEquals(this, other))
+        {
+            return true;
+        }
+
+        return string.Equals(this.Name, other.Name, StringComparison.OrdinalIgnoreCase)
+            && string.Equals(this.Email, other.Email, StringComparison.OrdinalIgnoreCase)
+            && this.Url == other.Url
+            && string.Equals(this.Type, other.Type, StringComparison.OrdinalIgnoreCase);
+    }
+
+    /// <inheritdoc/>
+    public override bool Equals(object? obj) => this.Equals(obj as ActorInfo);
+
+    /// <summary>
+    /// Included so that merge operations and collections that rely on hash codes (e.g., HashSet)
+    /// will operate on ActorInfo instances based on value equality rather than reference equality.
+    /// Uses multiply-and-add (seed 17, factor 31) with <see cref="StringComparer.OrdinalIgnoreCase"/>
+    /// to stay consistent with the case-insensitive <see cref="Equals(ActorInfo)"/>.
+    /// </summary>
+    /// <returns>A hash code consistent with value-based equality.</returns>
+    public override int GetHashCode()
+    {
+        unchecked
+        {
+            var hash = 17;
+            hash = (hash * 31) + StringComparer.OrdinalIgnoreCase.GetHashCode(this.Name ?? string.Empty);
+            hash = (hash * 31) + StringComparer.OrdinalIgnoreCase.GetHashCode(this.Email ?? string.Empty);
+            hash = (hash * 31) + (this.Url?.GetHashCode() ?? 0);
+            hash = (hash * 31) + StringComparer.OrdinalIgnoreCase.GetHashCode(this.Type ?? string.Empty);
+            return hash;
+        }
+    }
 }

src/Microsoft.ComponentDetection.Orchestrator/Services/GraphTranslation/DefaultGraphTranslationService.cs

@@ -215,6 +215,9 @@ private DetectedComponent MergeComponents(IEnumerable<DetectedComponent> enumera
         // Multiple detected components for the same logical component id -- this happens when different files see the same component. This code should go away when we get all
         //  mutable data out of detected component -- we can just take any component.
         var firstComponent = enumerable.First();
+        HashSet<string> mergedLicenses = null;
+        HashSet<ActorInfo> mergedSuppliers = null;
+
         foreach (var nextComponent in enumerable.Skip(1))
         {
             foreach (var filePath in nextComponent.FilePaths ?? Enumerable.Empty<string>())
@@ -239,6 +242,28 @@ private DetectedComponent MergeComponents(IEnumerable<DetectedComponent> enumera
             }
 
             firstComponent.TargetFrameworks = MergeTargetFrameworks(firstComponent.TargetFrameworks, nextComponent.TargetFrameworks);
+
+            if (nextComponent.LicensesConcluded != null)
+            {
+                mergedLicenses ??= new HashSet<string>(firstComponent.LicensesConcluded ?? [], StringComparer.OrdinalIgnoreCase);
+                mergedLicenses.UnionWith(nextComponent.LicensesConcluded);
+            }
+
+            if (nextComponent.Suppliers != null)
+            {
+                mergedSuppliers ??= new HashSet<ActorInfo>(firstComponent.Suppliers ?? []);
+                mergedSuppliers.UnionWith(nextComponent.Suppliers);
+            }
+        }
+
+        if (mergedLicenses != null)
+        {
+            firstComponent.LicensesConcluded = mergedLicenses.Where(x => x != null).OrderBy(x => x, StringComparer.OrdinalIgnoreCase).ToList();
+        }
+
+        if (mergedSuppliers != null)
+        {
+            firstComponent.Suppliers = mergedSuppliers.Where(s => s != null).OrderBy(s => s.Name).ThenBy(s => s.Type).ToList();
         }
 
         return firstComponent;
@@ -316,6 +341,8 @@ private ScannedComponent ConvertToContract(DetectedComponent component)
             ContainerDetailIds = component.ContainerDetailIds,
             ContainerLayerIds = component.ContainerLayerIds,
             TargetFrameworks = component.TargetFrameworks?.ToHashSet(),
+            LicensesConcluded = component.LicensesConcluded,
+            Suppliers = component.Suppliers,
         };
     }
 }