Extract legal review notices from specfiles

Author: kraih

assets/vue/ReportMetadata.vue

@@ -288,6 +288,12 @@
         <li v-for="warning in warnings" :key="warning">{{ warning }}</li>
       </ul>
     </div>
+    <div v-if="legalReviewNotices.length > 0" id="spec-legal-review-notices" class="alert alert-success">
+      <p>Legal review notices from packagers:</p>
+      <ul>
+        <li v-for="notice in legalReviewNotices" :key="notice">{{ notice }}</li>
+      </ul>
+    </div>
     <div v-if="notice !== null" class="row">
       <div class="col mb-3">
         <div class="alert alert-info">
@@ -369,6 +375,7 @@ export default {
       fasttrackUrl: `/reviews/fasttrack_package/${this.pkgId}`,
       hasSpdxReport: false,
       history: [],
+      legalReviewNotices: [],
       notice: null,
       pkgAiAssisted: false,
       pkgChecksum: null,
@@ -413,6 +420,7 @@ export default {
       this.errors = data.errors;
       this.externalLink = externalLink({external_link: data.external_link});
       this.hasSpdxReport = data.has_spdx_report;
+      this.legalReviewNotices = data.legal_review_notices;
 
       this.actions = data.actions;
       for (const action of this.actions) {

lib/Cavil/Checkout.pm

@@ -433,8 +433,18 @@ sub _kiwifile ($file) {
 }
 
 sub _specfile ($file) {
-  my $info = {file => $file->basename, type => 'spec', licenses => [], sources => [], '%doc' => [], '%license' => []};
+  my $info = {
+    file                 => $file->basename,
+    type                 => 'spec',
+    licenses             => [],
+    sources              => [],
+    '%doc'               => [],
+    '%license'           => [],
+    legal_review_notices => []
+  };
   for my $line (split "\n", $file->slurp) {
+
+    # Standard metadata fields
     if    ($line =~ /^License:\s*(.+)\s*$/)        { push @{$info->{licenses}},   $1 }
     elsif ($line =~ /^Source(?:\d+)?:\s*(.+)\s*$/) { push @{$info->{sources}},    $1 }
     elsif ($line =~ /^\%doc\s*(.+)\s*$/)           { push @{$info->{'%doc'}},     $1 }
@@ -443,6 +453,9 @@ sub _specfile ($file) {
     elsif ($line =~ /^Summary:\s*(.+)\s*$/)        { $info->{summary} ||= $1 }
     elsif ($line =~ /^Group:\s*(.+)\s*$/)          { $info->{group}   ||= $1 }
     elsif ($line =~ /^Url:\s*(.+)\s*$/i)           { $info->{url}     ||= $1 }
+
+    # Legal review notices, non-standard but used in SUSE packages
+    elsif ($line =~ /^\s*#+\s*Legal-Review-Notice:\s*(.+)\s*$/i) { push @{$info->{legal_review_notices}}, $1 }
   }
 
   return $info;

lib/Cavil/Plugin/Helpers.pm

@@ -146,7 +146,7 @@ sub _package_summary ($c, $id) {
     push @$actions, $entry;
   }
 
-  my (%docs, %lics, @package_files);
+  my (%docs, %lics, @package_files, @legal_review_notices);
   for my $sub (@{$spec->{sub} // []}) {
     my $entry = {
       file     => $sub->{file},
@@ -164,40 +164,42 @@ sub _package_summary ($c, $id) {
     for my $line (@{$sub->{'%license'}}) {
       $lics{$_} = 1 for split(/ /, $line);
     }
+    push @legal_review_notices, @{$sub->{'legal_review_notices'} // []};
   }
 
   return {
-    actions           => $actions,
-    copied_files      => {'%doc' => [sort keys %docs], '%license' => [sort keys %lics]},
-    created           => $pkg->{created_epoch},
-    embargoed         => \!!$pkg->{embargoed},
-    ai_assisted       => \!!$pkg->{ai_assisted},
-    errors            => $spec->{errors} // [],
-    external_link     => $pkg->{external_link},
-    has_spdx_report   => \!!$has_spdx_report,
-    history           => $history,
-    id                => $pkg->{id},
-    notice            => $pkg->{notice},
-    package_checksum  => $pkg->{checkout_dir},
-    package_files     => \@package_files,
-    package_group     => $group,
-    package_license   => {name => $package_license, spdx => \!!$normalized_license},
-    package_name      => $pkg->{name},
-    package_priority  => $pkg->{priority},
-    package_shortname => $shortname,
-    package_summary   => $summary,
-    package_type      => $type,
-    package_url       => $url,
-    package_version   => $version,
-    products          => $products,
-    requests          => $requests,
-    result            => $pkg->{result},
-    reviewed          => $pkg->{reviewed_epoch},
-    reviewing_user    => $pkg->{login},
-    state             => $pkg->{state},
-    unpacked_files    => $pkg->{unpacked_files},
-    unpacked_size     => humanize_bytes($pkg->{unpacked_size} // 0),
-    warnings          => $spec->{warnings} // []
+    actions              => $actions,
+    copied_files         => {'%doc' => [sort keys %docs], '%license' => [sort keys %lics]},
+    created              => $pkg->{created_epoch},
+    embargoed            => \!!$pkg->{embargoed},
+    ai_assisted          => \!!$pkg->{ai_assisted},
+    errors               => $spec->{errors} // [],
+    external_link        => $pkg->{external_link},
+    has_spdx_report      => \!!$has_spdx_report,
+    history              => $history,
+    id                   => $pkg->{id},
+    legal_review_notices => \@legal_review_notices,
+    notice               => $pkg->{notice},
+    package_checksum     => $pkg->{checkout_dir},
+    package_files        => \@package_files,
+    package_group        => $group,
+    package_license      => {name => $package_license, spdx => \!!$normalized_license},
+    package_name         => $pkg->{name},
+    package_priority     => $pkg->{priority},
+    package_shortname    => $shortname,
+    package_summary      => $summary,
+    package_type         => $type,
+    package_url          => $url,
+    package_version      => $version,
+    products             => $products,
+    requests             => $requests,
+    result               => $pkg->{result},
+    reviewed             => $pkg->{reviewed_epoch},
+    reviewing_user       => $pkg->{login},
+    state                => $pkg->{state},
+    unpacked_files       => $pkg->{unpacked_files},
+    unpacked_size        => humanize_bytes($pkg->{unpacked_size} // 0),
+    warnings             => $spec->{warnings} // []
   };
 }
 

t/api.t

@@ -71,7 +71,7 @@ $routes->get('/source/:project/perl-Mojolicious' => [project => ['devel:language
     size="675142" mtime="1496988144" />
   <entry name="perl-Mojolicious.changes" md5="46c99c12bdce7adad475de28916975ef"
     size="81924" mtime="1496988145" />
-  <entry name="perl-Mojolicious.spec" md5="4d480d6329a7ea52f7bb3a479d72b8fe"
+  <entry name="perl-Mojolicious.spec" md5="efab031c960c314a31f39a4a5e68ca50"
     size="2420" mtime="1496988145" />
 </directory>
 EOF

t/embargo.t

@@ -64,7 +64,7 @@ get '/source/:project/perl-Mojolicious.SUSE_SLE-15-SP2_Update' => [project => ['
     size="675142" mtime="1496988144" />
   <entry name="perl-Mojolicious.changes" md5="46c99c12bdce7adad475de28916975ef"
     size="81924" mtime="1496988145" />
-  <entry name="perl-Mojolicious.spec" md5="4d480d6329a7ea52f7bb3a479d72b8fe"
+  <entry name="perl-Mojolicious.spec" md5="efab031c960c314a31f39a4a5e68ca50"
     size="2420" mtime="1496988145" />
 </directory>
 EOF

t/legal-bot/mixed/fffe100e5a9a3e7f6d1fd97512215282/mixed-more.spec

@@ -1,2 +1,5 @@
+ ###
+ ###  Legal-Review-Notice:  testing 123
+ ###
 Summary: Just a test
 License: MIT

t/legal-bot/mixed/fffe100e5a9a3e7f6d1fd97512215282/mixed.spec

@@ -1,2 +1,5 @@
 License: MIT AND BSD-3-Clause
+# legal-review-notice: hello
+# legal-review-notice: cavil!
 Summary: Just a test
+# Legal-Review-Notice: Proprietary video codecs are disabled

t/legal-bot/perl-Mojolicious/c7cfdab0e71b0bebfdf8b2dc3badfecd/perl-Mojolicious.spec

@@ -71,3 +71,7 @@ find . -type f ! -name \*.pl -print0 | xargs -0 chmod 644
 %license LICENSE
 
 %changelog
+
+#
+# Legal-Review-Notice: Upstream project maintained by SUSE employee
+#

t/manual_review.t

@@ -107,11 +107,12 @@ subtest 'Details after indexing' => sub {
     ->status_is(200)
     ->json_like('/package_license/name', qr!Artistic-2.0!)
     ->json_is('/package_license/spdx', 1)
-    ->json_like('/package_version', qr!7\.25!)
-    ->json_like('/package_summary', qr!Real-time web framework!)
-    ->json_like('/package_group',   qr!Development/Libraries/Perl!)
-    ->json_like('/package_url',     qr!http://search\.cpan\.org/dist/Mojolicious/!)
-    ->json_like('/state',           qr!new!)
+    ->json_like('/package_version',        qr!7\.25!)
+    ->json_like('/package_summary',        qr!Real-time web framework!)
+    ->json_like('/package_group',          qr!Development/Libraries/Perl!)
+    ->json_like('/package_url',            qr!http://search\.cpan\.org/dist/Mojolicious/!)
+    ->json_like('/state',                  qr!new!)
+    ->json_like('/legal_review_notices/0', qr!Upstream project maintained by SUSE employee!)
     ->json_is('/unpacked_files', 339)
     ->json_is('/unpacked_size',  '2.5MiB');
 

t/mcp_api.t

@@ -172,6 +172,7 @@ subtest 'MCP' => sub {
         like $text, qr/Priority:.+5/,                                                        'priority';
         like $text, qr/Created:.+/,                                                          'created';
         like $text, qr/Manual review is required because no previous reports are available/, 'system notice';
+        like $text, qr/Upstream project maintained by SUSE employee/,                        'legal review notice';
         like $text, qr/Elevated risk, package might contain incompatible licenses/,          'risk notice';
         like $text, qr/\* GPL-2.0-only: 1 file/,                                             'license summary';
         like $text, qr/- `gpl2_file.txt`/,                                                   'matched file';