feat(spdx): Allow to deduce the ORT id from a PURL

Add an option to deduce the ORT id of a project / package from a PURL,
if present. Enabling this allows to maintain e.g. package identifiers
during round-trip conversions. The faeture is disabled by default to
maintain backwards compatibility.

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>

Author: sschuberth

plugins/package-managers/spdx/src/main/kotlin/SpdxDocumentFile.kt

@@ -42,19 +42,24 @@ import org.ossreviewtoolkit.model.config.AnalyzerConfiguration
 import org.ossreviewtoolkit.model.config.Excludes
 import org.ossreviewtoolkit.model.config.Includes
 import org.ossreviewtoolkit.model.createAndLogIssue
+import org.ossreviewtoolkit.model.utils.toIdentifier
+import org.ossreviewtoolkit.model.utils.toPackageUrl
 import org.ossreviewtoolkit.plugins.api.OrtPlugin
+import org.ossreviewtoolkit.plugins.api.OrtPluginOption
 import org.ossreviewtoolkit.plugins.api.PluginConfig
 import org.ossreviewtoolkit.plugins.api.PluginDescriptor
 import org.ossreviewtoolkit.plugins.packagemanagers.spdx.utils.SpdxDocumentCache
 import org.ossreviewtoolkit.plugins.packagemanagers.spdx.utils.SpdxResolvedDocument
 import org.ossreviewtoolkit.plugins.packagemanagers.spdx.utils.extractScopeFromExternalReferences
 import org.ossreviewtoolkit.plugins.packagemanagers.spdx.utils.isExternalDocumentReferenceId
 import org.ossreviewtoolkit.plugins.packagemanagers.spdx.utils.locateCpe
+import org.ossreviewtoolkit.plugins.packagemanagers.spdx.utils.locateExternalReference
 import org.ossreviewtoolkit.plugins.packagemanagers.spdx.utils.mapNotPresentToEmpty
 import org.ossreviewtoolkit.plugins.packagemanagers.spdx.utils.projectPackage
 import org.ossreviewtoolkit.plugins.packagemanagers.spdx.utils.toIdentifier
 import org.ossreviewtoolkit.plugins.packagemanagers.spdx.utils.toPackage
 import org.ossreviewtoolkit.plugins.packagemanagers.spdx.utils.wrapPresentInSet
+import org.ossreviewtoolkit.utils.spdxdocument.model.SpdxExternalReference
 import org.ossreviewtoolkit.utils.spdxdocument.model.SpdxPackage
 import org.ossreviewtoolkit.utils.spdxdocument.model.SpdxRelationship
 
@@ -70,6 +75,11 @@ private val SPDX_LINKAGE_RELATIONSHIPS = mapOf(
 
 private val SPDX_SCOPE_RELATIONSHIPS = SpdxRelationship.Type.entries.filter { it.name.endsWith("_DEPENDENCY_OF") }
 
+data class SpdxDocumentFileConfig(
+    @OrtPluginOption(defaultValue = "false")
+    val deduceOrtIdFromPurl: Boolean
+)
+
 /**
  * A "fake" package manager implementation that uses SPDX documents as definition files to declare projects and describe
  * packages. See https://github.com/spdx/spdx-spec/issues/439 for details.
@@ -79,7 +89,10 @@ private val SPDX_SCOPE_RELATIONSHIPS = SpdxRelationship.Type.entries.filter { it
     description = "A package manager that uses SPDX documents as definition files.",
     factory = PackageManagerFactory::class
 )
-class SpdxDocumentFile(override val descriptor: PluginDescriptor = SpdxDocumentFileFactory.descriptor) :
+class SpdxDocumentFile(
+    override val descriptor: PluginDescriptor = SpdxDocumentFileFactory.descriptor,
+    private val config: SpdxDocumentFileConfig
+) :
     PackageManager(PROJECT_TYPE) {
     override val globsForDefinitionFiles = listOf("*.spdx.yml", "*.spdx.yaml", "*.spdx.json")
 
@@ -116,7 +129,8 @@ class SpdxDocumentFile(override val descriptor: PluginDescriptor = SpdxDocumentF
             val issues = mutableListOf<Issue>()
             getPackageManagerDependency(target, doc, analyzerConfig) ?: doc.getSpdxPackageForId(target, issues)
                 ?.let { dependency ->
-                    val ortPackage = dependency.toPackage(doc.getDefinitionFile(target), doc)
+                    val targetFile = doc.getDefinitionFile(target)
+                    val ortPackage = dependency.toPackage(targetFile, doc, config.deduceOrtIdFromPurl)
                     packages += ortPackage
 
                     PackageReference(
@@ -160,7 +174,8 @@ class SpdxDocumentFile(override val descriptor: PluginDescriptor = SpdxDocumentF
 
                     getPackageManagerDependency(source, doc, analyzerConfig) ?: doc.getSpdxPackageForId(source, issues)
                         ?.let { dependency ->
-                            val ortPackage = dependency.toPackage(doc.getDefinitionFile(source), doc)
+                            val sourceFile = doc.getDefinitionFile(source)
+                            val ortPackage = dependency.toPackage(sourceFile, doc, config.deduceOrtIdFromPurl)
                             packages += ortPackage
 
                             PackageReference(
@@ -269,8 +284,12 @@ class SpdxDocumentFile(override val descriptor: PluginDescriptor = SpdxDocumentF
             )
         )
 
+        val purlReference = projectPackage.locateExternalReference(SpdxExternalReference.Type.Purl)
+        val id = purlReference?.takeIf { config.deduceOrtIdFromPurl }?.run { toPackageUrl()?.toIdentifier() }
+            ?: projectPackage.toIdentifier(projectType)
+
         val project = Project(
-            id = projectPackage.toIdentifier(projectType),
+            id = id,
             cpe = projectPackage.locateCpe(),
             definitionFilePath = VersionControlSystem.getPathInfo(definitionFile).path,
             authors = projectPackage.originator.wrapPresentInSet(),

plugins/package-managers/spdx/src/main/kotlin/utils/SpdxExtensions.kt

@@ -33,6 +33,7 @@ import org.ossreviewtoolkit.model.RemoteArtifact
 import org.ossreviewtoolkit.model.VcsInfo
 import org.ossreviewtoolkit.model.VcsType
 import org.ossreviewtoolkit.model.orEmpty
+import org.ossreviewtoolkit.model.utils.toIdentifier
 import org.ossreviewtoolkit.model.utils.toPackageUrl
 import org.ossreviewtoolkit.model.utils.toPurl
 import org.ossreviewtoolkit.plugins.packagemanagers.spdx.PACKAGE_TYPE_SPDX
@@ -158,7 +159,11 @@ internal fun SpdxPackage.toIdentifier(type: String) =
 /**
  * Create a [Package] out of this [SpdxPackage].
  */
-internal fun SpdxPackage.toPackage(definitionFile: File?, doc: SpdxResolvedDocument): Package {
+internal fun SpdxPackage.toPackage(
+    definitionFile: File?,
+    doc: SpdxResolvedDocument,
+    deduceOrtIdFromPurl: Boolean
+): Package {
     val packageDescription = description.ifEmpty { summary }
 
     // If the VCS information cannot be determined from the VCS working tree itself, fall back to try getting it
@@ -173,10 +178,12 @@ internal fun SpdxPackage.toPackage(definitionFile: File?, doc: SpdxResolvedDocum
     val isBinaryArtifact = generatedFromRelations.any { it.spdxElementId == spdxId }
         && generatedFromRelations.none { it.relatedSpdxElement == spdxId }
 
-    val id = toIdentifier(PACKAGE_TYPE_SPDX)
-    val artifact = getRemoteArtifact()
+    val purlReference = locateExternalReference(SpdxExternalReference.Type.Purl)
+    val id = purlReference?.takeIf { deduceOrtIdFromPurl }?.run { toPackageUrl()?.toIdentifier() }
+        ?: toIdentifier(PACKAGE_TYPE_SPDX)
 
-    val purl = locateExternalReference(SpdxExternalReference.Type.Purl)
+    val artifact = getRemoteArtifact()
+    val purl = purlReference
         ?: artifact
             ?.let { if (it.hash.algorithm in HashAlgorithm.VERIFIABLE) it else it.copy(hash = Hash.NONE) }
             ?.let { id.toPurl(ArtifactProvenance(it)) }