feat(scanoss): Add snippet choice parsing for scan results

isasmendiagus · sschuberth · commit 77293c609b81 · 2025-05-07T17:27:48.000+02:00
Implement snippet choice processing functionality. It handles findings
according to two different scenarios:
- Original findings that should be included
- Non-relevant findings that should be removed

The implementation converts ORT's SnippetChoices into SCANOSS-specific rule
types.

Signed-off-by: Agustin Isasmendi &lt;agustin.isasmendi@scanoss.com&gt;
diff --git a/plugins/scanners/scanoss/src/main/kotlin/ScanOss.kt b/plugins/scanners/scanoss/src/main/kotlin/ScanOss.kt
@@ -21,6 +21,11 @@ package org.ossreviewtoolkit.plugins.scanners.scanoss
 
 import com.scanoss.Scanner
 import com.scanoss.filters.FilterConfig
+import com.scanoss.settings.Bom
+import com.scanoss.settings.RemoveRule
+import com.scanoss.settings.ReplaceRule
+import com.scanoss.settings.Rule
+import com.scanoss.settings.ScanossSettings
 import com.scanoss.utils.JsonUtils
 import com.scanoss.utils.PackageDetails
 
@@ -30,6 +35,9 @@ import java.time.Instant
 import org.apache.logging.log4j.kotlin.logger
 
 import org.ossreviewtoolkit.model.ScanSummary
+import org.ossreviewtoolkit.model.config.SnippetChoices
+import org.ossreviewtoolkit.model.config.snippet.SnippetChoice
+import org.ossreviewtoolkit.model.config.snippet.SnippetChoiceReason
 import org.ossreviewtoolkit.plugins.api.OrtPlugin
 import org.ossreviewtoolkit.plugins.api.PluginDescriptor
 import org.ossreviewtoolkit.scanner.PathScannerWrapper
@@ -87,6 +95,7 @@ class ScanOss(
 
         // Build the scanner at function level in case any path-specific settings or filters are needed later.
         val scanoss = scanossBuilder
+            .settings(buildSettingsFromORTContext(context))
             .filterConfig(filterConfig)
             .build()
 
@@ -99,4 +108,70 @@ class ScanOss(
         val endTime = Instant.now()
         return generateSummary(startTime, endTime, results)
     }
+
+    data class ProcessedRules(
+        val includeRules: List<Rule>,
+        val ignoreRules: List<Rule>,
+        val replaceRules: List<ReplaceRule>,
+        val removeRules: List<RemoveRule>
+    )
+
+    private fun buildSettingsFromORTContext(context: ScanContext): ScanossSettings {
+        val rules = processSnippetChoices(context.snippetChoices)
+        val bom = Bom.builder()
+            .ignore(rules.ignoreRules)
+            .include(rules.includeRules)
+            .replace(rules.replaceRules)
+            .remove(rules.removeRules)
+            .build()
+        return ScanossSettings.builder().bom(bom).build()
+    }
+
+    fun processSnippetChoices(snippetChoices: List<SnippetChoices>): ProcessedRules {
+        val includeRules = mutableListOf<Rule>()
+        val ignoreRules = mutableListOf<Rule>()
+        val replaceRules = mutableListOf<ReplaceRule>()
+        val removeRules = mutableListOf<RemoveRule>()
+
+        snippetChoices.forEach { snippetChoice ->
+            snippetChoice.choices.forEach { choice ->
+                when (choice.choice.reason) {
+                    SnippetChoiceReason.ORIGINAL_FINDING -> {
+                        includeRules.includeFinding(choice)
+                    }
+
+                    SnippetChoiceReason.NO_RELEVANT_FINDING -> {
+                        removeRules.removeFinding(choice)
+                    }
+
+                    SnippetChoiceReason.OTHER -> {
+                        logger.info {
+                            "Encountered OTHER reason for snippet choice in file ${choice.given.sourceLocation.path}"
+                        }
+                    }
+                }
+            }
+        }
+
+        return ProcessedRules(includeRules, ignoreRules, replaceRules, removeRules)
+    }
+
+    private fun MutableList<Rule>.includeFinding(choice: SnippetChoice) {
+        this += Rule.builder()
+            .purl(choice.choice.purl)
+            .path(choice.given.sourceLocation.path)
+            .build()
+    }
+
+    private fun MutableList<RemoveRule>.removeFinding(choice: SnippetChoice) {
+        this += RemoveRule.builder().apply {
+            path(choice.given.sourceLocation.path)
+
+            // Set line range only if both line positions (startLine and endLine) are known.
+            if (choice.given.sourceLocation.hasLineRange) {
+                startLine(choice.given.sourceLocation.startLine)
+                endLine(choice.given.sourceLocation.endLine)
+            }
+        }.build()
+    }
 }
diff --git a/plugins/scanners/scanoss/src/test/kotlin/ScanOssTest.kt b/plugins/scanners/scanoss/src/test/kotlin/ScanOssTest.kt
@@ -0,0 +1,193 @@
+/*
+ * Copyright (C) 2025 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.scanners.scanoss
+
+import io.kotest.core.spec.style.WordSpec
+import io.kotest.matchers.collections.beEmpty
+import io.kotest.matchers.collections.shouldBeSingleton
+import io.kotest.matchers.should
+import io.kotest.matchers.shouldBe
+
+import org.ossreviewtoolkit.model.TextLocation
+import org.ossreviewtoolkit.model.config.SnippetChoices
+import org.ossreviewtoolkit.model.config.snippet.Choice
+import org.ossreviewtoolkit.model.config.snippet.Given
+import org.ossreviewtoolkit.model.config.snippet.Provenance
+import org.ossreviewtoolkit.model.config.snippet.SnippetChoice
+import org.ossreviewtoolkit.model.config.snippet.SnippetChoiceReason
+
+// Sample files in the results.
+private const val FILE_1 = "a.java"
+private const val FILE_2 = "b.java"
+
+// A sample purl in the results.
+private const val PURL_1 = "pkg:github/fakeuser/fakepackage1@1.0.0"
+
+class ScanOssTest : WordSpec({
+    "processSnippetChoices()" should {
+        "create empty rules when no snippet choices exist" {
+            val scanoss = createScanOss(createScanOssConfig())
+
+            val emptySnippetChoices: List<SnippetChoices> = listOf()
+
+            val rules = scanoss.processSnippetChoices(emptySnippetChoices)
+
+            rules.ignoreRules should beEmpty()
+            rules.removeRules should beEmpty()
+            rules.includeRules should beEmpty()
+            rules.replaceRules should beEmpty()
+        }
+
+        "create an include rule for snippet choices with ORIGINAL finding" {
+            val vcsInfo = createVcsInfo()
+            val scanoss = createScanOss(createScanOssConfig())
+
+            val location = TextLocation(FILE_1, 10, 20)
+            val snippetChoices = createSnippetChoices(
+                vcsInfo.url,
+                createSnippetChoice(
+                    location,
+                    PURL_1,
+                    "This is an original finding"
+                )
+            )
+
+            val rules = scanoss.processSnippetChoices(snippetChoices)
+
+            rules.includeRules.shouldBeSingleton { rule ->
+                rule.purl shouldBe PURL_1
+                rule.path shouldBe FILE_1
+            }
+
+            rules.removeRules should beEmpty()
+            rules.ignoreRules should beEmpty()
+            rules.replaceRules should beEmpty()
+        }
+
+        "create a remove rule for snippet choices with NOT_FINDING reason" {
+            val vcsInfo = createVcsInfo()
+
+            val scanoss = createScanOss(createScanOssConfig())
+
+            val location = TextLocation(FILE_2, 15, 30)
+            val snippetChoices = createSnippetChoices(
+                vcsInfo.url,
+                createSnippetChoice(
+                    location,
+                    null, // null PURL for NOT_FINDING.
+                    "This is not a relevant finding"
+                )
+            )
+
+            val rules = scanoss.processSnippetChoices(snippetChoices)
+
+            rules.removeRules.shouldBeSingleton { rule ->
+                rule.path shouldBe FILE_2
+                rule.startLine shouldBe 15
+                rule.endLine shouldBe 30
+            }
+
+            rules.includeRules should beEmpty()
+            rules.ignoreRules should beEmpty()
+            rules.replaceRules should beEmpty()
+        }
+
+        "handle multiple snippet choices with different reasons correctly" {
+            val vcsInfo = createVcsInfo()
+            val scanoss = createScanOss(createScanOssConfig())
+
+            val location1 = TextLocation(FILE_1, 10, 20)
+            val location2 = TextLocation(FILE_2, 15, 30)
+
+            val snippetChoices = createSnippetChoices(
+                vcsInfo.url,
+                createSnippetChoice(
+                    location1,
+                    PURL_1,
+                    "This is an original finding"
+                ),
+                createSnippetChoice(
+                    location2,
+                    null,
+                    "This is not a relevant finding"
+                )
+            )
+
+            val rules = scanoss.processSnippetChoices(snippetChoices)
+
+            rules.includeRules.shouldBeSingleton { rule ->
+                rule.purl shouldBe PURL_1
+                rule.path shouldBe FILE_1
+            }
+
+            rules.removeRules.shouldBeSingleton { rule ->
+                rule.path shouldBe FILE_2
+                rule.startLine shouldBe 15
+                rule.endLine shouldBe 30
+            }
+
+            rules.ignoreRules should beEmpty()
+            rules.replaceRules should beEmpty()
+        }
+
+        "create a remove rule without line ranges when snippet choice has UNKNOWN_LINE (-1) values" {
+            val vcsInfo = createVcsInfo()
+            val scanoss = createScanOss(createScanOssConfig())
+
+            // Create a TextLocation with -1 for start and end lines.
+            val location = TextLocation(FILE_2, TextLocation.UNKNOWN_LINE, TextLocation.UNKNOWN_LINE)
+            val snippetChoices = createSnippetChoices(
+                vcsInfo.url,
+                createSnippetChoice(
+                    location,
+                    null, // null PURL for NOT_FINDING.
+                    "This is a not relevant finding with no line ranges"
+                )
+            )
+
+            val rules = scanoss.processSnippetChoices(snippetChoices)
+
+            rules.removeRules.shouldBeSingleton { rule ->
+                rule.path shouldBe FILE_2
+                rule.startLine shouldBe null
+                rule.endLine shouldBe null
+            }
+
+            rules.includeRules should beEmpty()
+            rules.ignoreRules should beEmpty()
+            rules.replaceRules should beEmpty()
+        }
+    }
+})
+
+private fun createSnippetChoices(provenanceUrl: String, vararg snippetChoices: SnippetChoice) =
+    listOf(SnippetChoices(Provenance(provenanceUrl), snippetChoices.asList()))
+
+private fun createSnippetChoice(location: TextLocation, purl: String? = null, comment: String) =
+    SnippetChoice(
+        Given(
+            location
+        ),
+        Choice(
+            purl,
+            if (purl == null) SnippetChoiceReason.NO_RELEVANT_FINDING else SnippetChoiceReason.ORIGINAL_FINDING,
+            comment
+        )
+    )
diff --git a/plugins/scanners/scanoss/src/test/kotlin/TestUtils.kt b/plugins/scanners/scanoss/src/test/kotlin/TestUtils.kt
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2025 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.plugins.scanners.scanoss
+
+import com.scanoss.rest.ScanApi
+
+import org.ossreviewtoolkit.model.VcsInfo
+import org.ossreviewtoolkit.model.VcsType
+import org.ossreviewtoolkit.plugins.api.Secret
+
+// A test project name.
+internal const val PROJECT = "scanoss-test-project"
+
+// A (resolved) test revision.
+private const val REVISION = "0123456789012345678901234567890123456789"
+
+/**
+ * Create a new [ScanOss] instance with the specified [config].
+ */
+internal fun createScanOss(config: ScanOssConfig): ScanOss = ScanOss(config = config)
+
+/**
+ * Create a standard [ScanOssConfig] whose properties can be partly specified.
+ */
+internal fun createScanOssConfig(
+    apiUrl: String = ScanApi.DEFAULT_BASE_URL,
+    apiKey: Secret = Secret(""),
+    regScannerName: String? = null,
+    minVersion: String? = null,
+    maxVersion: String? = null,
+    readFromStorage: Boolean = true,
+    writeToStorage: Boolean = true
+): ScanOssConfig =
+    ScanOssConfig(
+        apiUrl = apiUrl,
+        apiKey = apiKey,
+        regScannerName = regScannerName,
+        minVersion = minVersion,
+        maxVersion = maxVersion,
+        readFromStorage = readFromStorage,
+        writeToStorage = writeToStorage
+    )
+
+/**
+ * Create a [VcsInfo] object for a project with the given [name][projectName] and the optional parameters for [type],
+ * [path], and [revision].
+ */
+internal fun createVcsInfo(
+    projectName: String = PROJECT,
+    type: VcsType = VcsType.GIT,
+    path: String = "",
+    revision: String = REVISION
+): VcsInfo = VcsInfo(type = type, path = path, revision = revision, url = "https://github.com/test/$projectName.git")
