fix(scanoss): Prevent duplicate licenses in SnippetFindings

Combine same licenses from different sources to avoid duplicates in scan
results.

Signed-off-by: Agustin Isasmendi <[email protected]>

Author: isasmendiagus

plugins/scanners/scanoss/src/main/kotlin/ScanOssResultParser.kt

@@ -144,9 +144,9 @@ private fun getSnippets(details: ScanFileDetails): Set<Snippet> {
     val url = requireNotNull(details.url)
     val purls = requireNotNull(details.purls)
 
-    val licenses = details.licenseDetails.orEmpty().mapTo(mutableSetOf()) { license ->
-        SpdxExpression.parse(license.name)
-    }
+    val license = details.licenseDetails.orEmpty()
+        .map { license -> SpdxExpression.parse(license.name) }
+        .toExpression()?.sorted() ?: SpdxLicenseIdExpression(SpdxConstants.NOASSERTION)
 
     val score = matched.substringBeforeLast("%").toFloat()
     val locations = convertLines(fileUrl, ossLines)
@@ -157,8 +157,6 @@ private fun getSnippets(details: ScanFileDetails): Set<Snippet> {
     return buildSet {
         purls.forEach { purl ->
             locations.forEach { snippetLocation ->
-                val license = licenses.toExpression()?.sorted() ?: SpdxLicenseIdExpression(SpdxConstants.NOASSERTION)
-
                 add(Snippet(score, snippetLocation, provenance, purl, license))
             }
         }

plugins/scanners/scanoss/src/test/kotlin/ScanOssResultParserTest.kt

@@ -27,6 +27,7 @@ import io.kotest.matchers.collections.containExactlyInAnyOrder
 import io.kotest.matchers.collections.haveSize
 import io.kotest.matchers.collections.shouldContain
 import io.kotest.matchers.should
+import io.kotest.matchers.shouldBe
 
 import java.time.Instant
 
@@ -38,7 +39,9 @@ import org.ossreviewtoolkit.model.SnippetFinding
 import org.ossreviewtoolkit.model.TextLocation
 import org.ossreviewtoolkit.model.VcsInfo
 import org.ossreviewtoolkit.model.VcsType
+import org.ossreviewtoolkit.utils.spdx.SpdxConstants
 import org.ossreviewtoolkit.utils.spdx.SpdxExpression
+import org.ossreviewtoolkit.utils.spdx.SpdxLicenseIdExpression
 import org.ossreviewtoolkit.utils.test.readResource
 
 class ScanOssResultParserTest : WordSpec({
@@ -131,5 +134,56 @@ class ScanOssResultParserTest : WordSpec({
                 )
             )
         }
+
+        "combine the same license from different sources into a single expression" {
+            // When the same license appears in multiple sources (like scancode and file_header),
+            // combine them into a single expression rather than duplicating.
+            val results = readResource("/scanoss-snippet-same-license-multiple-sources.json").let {
+                JsonUtils.toScanFileResultsFromObject(JsonUtils.toJsonObject(it))
+            }
+
+            val time = Instant.now()
+            val summary = generateSummary(time, time, results)
+
+            // Verify the snippet finding.
+            summary.snippetFindings should haveSize(1)
+            val snippet = summary.snippetFindings.first().snippets.first()
+
+            // Consolidate the license into a single expression
+            // even though it came from both "scancode" and "file_header" sources.
+            snippet.license shouldBe SpdxExpression.parse("LGPL-2.1-or-later")
+
+            // Preserve other snippet details correctly.
+            with(summary.snippetFindings.first()) {
+                sourceLocation.path shouldBe "src/check_error.c"
+                sourceLocation.startLine shouldBe 16
+                sourceLocation.endLine shouldBe 24
+            }
+        }
+
+        "handle empty license array with NOASSERTION" {
+            // When a component has an empty licenses array, use NOASSERTION.
+
+            val results = readResource("/scanoss-snippet-no-license-data.json").let {
+                JsonUtils.toScanFileResultsFromObject(JsonUtils.toJsonObject(it))
+            }
+
+            val time = Instant.now()
+            val summary = generateSummary(time, time, results)
+
+            // Verify the snippet finding.
+            summary.snippetFindings should haveSize(1)
+            val snippet = summary.snippetFindings.first().snippets.first()
+
+            // Use NOASSERTION when no licenses are provided.
+            snippet.license shouldBe SpdxLicenseIdExpression(SpdxConstants.NOASSERTION)
+
+            // Preserve other snippet details correctly.
+            with(summary.snippetFindings.first()) {
+                sourceLocation.path shouldBe "fake_file.c"
+                sourceLocation.startLine shouldBe 16
+                sourceLocation.endLine shouldBe 24
+            }
+        }
     }
 })

plugins/scanners/scanoss/src/test/resources/scanoss-snippet-no-license-data.json

@@ -0,0 +1,33 @@
+{
+  "fake_file.c": [
+    {
+      "component": "check",
+      "file": "fake_file.c",
+      "file_hash": "4597ef1de00849bb96d42e78f2cfc3a7",
+      "file_url": "https://api.scanoss.com/file_contents//4597ef1de00849bb96d42e78f2cfc3a7",
+      "id": "snippet",
+      "latest": "0.8.1",
+      "licenses": [],
+      "lines": "16-24",
+      "matched": "15%",
+      "oss_lines": "34-42",
+      "purl": [
+        "pkg:sourceforge/check"
+      ],
+      "release_date": "2002-03-02",
+      "server": {
+        "kb_version": {
+          "daily": "25.05.14",
+          "monthly": "25.04"
+        },
+        "version": "5.4.10"
+      },
+      "source_hash": "74c49597c2934e08b2ce8797f4aa7454",
+      "status": "pending",
+      "url": "https://sourceforge.net/projects/check",
+      "url_hash": "d81953e1dca4c498140c44f5d6fa92d6",
+      "vendor": "check",
+      "version": "0.8.1"
+    }
+  ]
+}

plugins/scanners/scanoss/src/test/resources/scanoss-snippet-same-license-multiple-sources.json

@@ -0,0 +1,54 @@
+{
+  "src/check_error.c": [
+    {
+      "component": "check",
+      "file": "src/check_error.c",
+      "file_hash": "4597ef1de00849bb96d42e78f2cfc3a7",
+      "file_url": "https://api.scanoss.com/file_contents//4597ef1de00849bb96d42e78f2cfc3a7",
+      "id": "snippet",
+      "latest": "0.8.1",
+      "licenses": [
+        {
+          "checklist_url": "https://www.osadl.org/fileadmin/checklists/unreflicenses/LGPL-2.1-or-later.txt",
+          "copyleft": "yes",
+          "incompatible_with": "Apache-1.0, Apache-1.1, Apache-2.0, BSD-4-Clause, BSD-4-Clause-UC, BSD-4.3TAHOE, ECL-2.0, FTL, IJG, LicenseRef-scancode-bsla-no-advert, Minpack, OpenSSL, PHP-3.01, Python-2.0, zlib-acknowledgement, XFree86-1.1",
+          "name": "LGPL-2.1-or-later",
+          "osadl_updated": "2025-02-10T14:26:00+0000",
+          "patent_hints": "yes",
+          "source": "scancode",
+          "url": "https://spdx.org/licenses/LGPL-2.1-or-later.html"
+        },
+        {
+          "checklist_url": "https://www.osadl.org/fileadmin/checklists/unreflicenses/LGPL-2.1-or-later.txt",
+          "copyleft": "yes",
+          "incompatible_with": "Apache-1.0, Apache-1.1, Apache-2.0, BSD-4-Clause, BSD-4-Clause-UC, BSD-4.3TAHOE, ECL-2.0, FTL, IJG, LicenseRef-scancode-bsla-no-advert, Minpack, OpenSSL, PHP-3.01, Python-2.0, zlib-acknowledgement, XFree86-1.1",
+          "name": "LGPL-2.1-or-later",
+          "osadl_updated": "2025-02-10T14:26:00+0000",
+          "patent_hints": "yes",
+          "source": "file_header",
+          "url": "https://spdx.org/licenses/LGPL-2.1-or-later.html"
+        }
+      ],
+      "lines": "16-24",
+      "matched": "15%",
+      "oss_lines": "34-42",
+      "purl": [
+        "pkg:sourceforge/check"
+      ],
+      "release_date": "2002-03-02",
+      "server": {
+        "kb_version": {
+          "daily": "25.05.14",
+          "monthly": "25.04"
+        },
+        "version": "5.4.10"
+      },
+      "source_hash": "74c49597c2934e08b2ce8797f4aa7454",
+      "status": "pending",
+      "url": "https://sourceforge.net/projects/check",
+      "url_hash": "d81953e1dca4c498140c44f5d6fa92d6",
+      "vendor": "check",
+      "version": "0.8.1"
+    }
+  ]
+}