fix(scanoss): Prevent duplicate licenses in SnippetFindings

Adds getUniqueLicenseExpression method to combine licenses while preventing
duplicates in the scan results

Signed-off-by: Agustin Isasmendi <[email protected]>

Author: isasmendiagus

plugins/scanners/scanoss/src/main/kotlin/ScanOssResultParser.kt

@@ -19,6 +19,7 @@
 
 package org.ossreviewtoolkit.plugins.scanners.scanoss
 
+import com.scanoss.dto.LicenseDetails
 import com.scanoss.dto.ScanFileDetails
 import com.scanoss.dto.ScanFileResult
 import com.scanoss.dto.enums.MatchType
@@ -36,7 +37,6 @@ import org.ossreviewtoolkit.model.TextLocation
 import org.ossreviewtoolkit.utils.spdx.SpdxConstants
 import org.ossreviewtoolkit.utils.spdx.SpdxExpression
 import org.ossreviewtoolkit.utils.spdx.SpdxLicenseIdExpression
-import org.ossreviewtoolkit.utils.spdx.toExpression
 
 /**
  * Generate a summary from the given SCANOSS [result], using [startTime], [endTime] as metadata. This variant can be
@@ -134,7 +134,7 @@ private fun getCopyrightFindings(details: ScanFileDetails): List<CopyrightFindin
 }
 
 /**
- * Get the snippet findings from the given [details]. If a snippet returned by ScanOSS contains several Purls,
+ * Get the snippet findings from the given [details]. If a snippet returned by SCANOSS contains several Purls,
  * several snippets are created in ORT each containing a single Purl.
  */
 private fun getSnippets(details: ScanFileDetails): Set<Snippet> {
@@ -144,9 +144,7 @@ private fun getSnippets(details: ScanFileDetails): Set<Snippet> {
     val url = requireNotNull(details.url)
     val purls = requireNotNull(details.purls)
 
-    val licenses = details.licenseDetails.orEmpty().mapTo(mutableSetOf()) { license ->
-        SpdxExpression.parse(license.name)
-    }
+    val license = getUniqueLicenseExpression(details.licenseDetails.toList())
 
     val score = matched.substringBeforeLast("%").toFloat()
     val locations = convertLines(fileUrl, ossLines)
@@ -157,8 +155,6 @@ private fun getSnippets(details: ScanFileDetails): Set<Snippet> {
     return buildSet {
         purls.forEach { purl ->
             locations.forEach { snippetLocation ->
-                val license = licenses.toExpression()?.sorted() ?: SpdxLicenseIdExpression(SpdxConstants.NOASSERTION)
-
                 add(Snippet(score, snippetLocation, provenance, purl, license))
             }
         }
@@ -178,3 +174,36 @@ private fun convertLines(file: String, lineRanges: String): List<TextLocation> =
             else -> throw IllegalArgumentException("Unsupported line range '$lineRange'.")
         }
     }
+
+/**
+ * Generates a unified SPDX license expression by combining multiple license declarations using the AND operator.
+ *
+ * During license scanning, components may have multiple license declarations from various sources
+ * (such as package manifests, SPDX tags, file headers, LICENSE files, or automated detection tools).
+ * This function creates a single, normalized SPDX expression that represents all discovered licenses.
+ *
+ *
+ * @param licensesDetails A list of LicenseDetails objects, each containing information about a
+ *        discovered license.
+ *
+ * @return A combined SpdxExpression using AND operator. If the input list is empty,
+ *         returns an SpdxLicenseIdExpression with the value "NOASSERTION".
+ *
+ * Note: The function removes duplicate licenses during processing through the simplify() method,
+ *       so identical licenses detected from multiple sources will appear only once in the final
+ *       expression.
+ *
+ * Example:
+ *   Input: [LicenseDetails("MIT"), LicenseDetails("Apache-2.0"), LicenseDetails("MIT")]
+ *   Output: SpdxExpression representing "MIT AND Apache-2.0" (duplicate MIT license is removed)
+ */
+fun getUniqueLicenseExpression(licensesDetails: List<LicenseDetails>): SpdxExpression {
+    if (licensesDetails.isEmpty()) {
+        return SpdxLicenseIdExpression(SpdxConstants.NOASSERTION)
+    }
+
+    return licensesDetails
+        .map { license -> SpdxExpression.parse(license.name) }
+        .reduce { acc, expr -> acc and expr }
+        .simplify()
+}

plugins/scanners/scanoss/src/test/kotlin/ScanOssResultParserTest.kt

@@ -19,6 +19,7 @@
 
 package org.ossreviewtoolkit.plugins.scanners.scanoss
 
+import com.scanoss.dto.LicenseDetails
 import com.scanoss.utils.JsonUtils
 
 import io.kotest.core.spec.style.WordSpec
@@ -27,6 +28,7 @@ import io.kotest.matchers.collections.containExactlyInAnyOrder
 import io.kotest.matchers.collections.haveSize
 import io.kotest.matchers.collections.shouldContain
 import io.kotest.matchers.should
+import io.kotest.matchers.shouldBe
 
 import java.io.File
 import java.time.Instant
@@ -39,9 +41,44 @@ import org.ossreviewtoolkit.model.SnippetFinding
 import org.ossreviewtoolkit.model.TextLocation
 import org.ossreviewtoolkit.model.VcsInfo
 import org.ossreviewtoolkit.model.VcsType
+import org.ossreviewtoolkit.utils.spdx.SpdxConstants
 import org.ossreviewtoolkit.utils.spdx.SpdxExpression
+import org.ossreviewtoolkit.utils.spdx.SpdxLicenseIdExpression
 
 class ScanOssResultParserTest : WordSpec({
+    "getUniqueLicenseDetails()" should {
+        "deduplicate complex license expressions" {
+            val uniqueLicenses = getUniqueLicenseExpression(
+                listOf(
+                    LicenseDetails.builder().name("MIT").build(),
+                    LicenseDetails.builder().name("MIT").build(),
+                    LicenseDetails.builder().name("GPL-2.0-only").build(),
+                    LicenseDetails.builder().name("GPL-2.0-only WITH Linux-syscall-note").build(),
+                    LicenseDetails.builder().name("GPL-2.0-only AND MIT").build()
+                )
+            )
+
+            val decomposed = uniqueLicenses.decompose().toList()
+
+            val expressionStrings = decomposed.map { it.toString() }
+
+            // Check that each license appears exactly once
+            expressionStrings.count { it == "MIT" } shouldBe 1
+            expressionStrings.count { it == "GPL-2.0-only" } shouldBe 1
+            expressionStrings.count { it == "GPL-2.0-only WITH Linux-syscall-note" } shouldBe 1
+
+            // Ensure no unexpected elements
+            expressionStrings.size shouldBe 3
+        }
+
+        "handle empty license list" {
+            val emptyLicenses = getUniqueLicenseExpression(listOf())
+
+            // Verify empty license list returns NOASSERTION
+            emptyLicenses shouldBe SpdxLicenseIdExpression(SpdxConstants.NOASSERTION)
+        }
+    }
+
     "generateSummary()" should {
         "properly summarize JUnit 4.12 findings" {
             val results = File("src/test/assets/scanoss-junit-4.12.json").readText().let {