feat(evaluator): Add the matcher PackageRule.hasConcludedLicense()

fviernau · fviernau · commit e1d45fb08d20 · 2025-04-01T12:50:40.000+02:00
This can be useful to reduce the severity for declared license mapping
issues, in case the package has a concluded license.

Note: Add a way to dynamically add a package to the `OrtResult` defined
in `TestData.kt` in order avoid enhancing that test data with the
details of this particular test.

Signed-off-by: Frank Viernau &lt;x9fviern@zeiss.com&gt;
diff --git a/evaluator/src/main/kotlin/PackageRule.kt b/evaluator/src/main/kotlin/PackageRule.kt
@@ -34,6 +34,7 @@ import org.ossreviewtoolkit.model.vulnerabilities.Cvss3Rating
 import org.ossreviewtoolkit.model.vulnerabilities.Cvss4Rating
 import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 import org.ossreviewtoolkit.model.vulnerabilities.VulnerabilityReference
+import org.ossreviewtoolkit.utils.spdx.SpdxConstants
 import org.ossreviewtoolkit.utils.spdx.SpdxExpression
 import org.ossreviewtoolkit.utils.spdx.SpdxLicenseReferenceExpression
 
@@ -134,6 +135,19 @@ open class PackageRule(
             override fun matches() = resolvedLicenseInfo.licenses.any { it.license.isPresent() }
         }
 
+    /**
+     * A [RuleMatcher] that checks if the [package][pkg] has any concluded license.
+     */
+    fun hasConcludedLicense() =
+        object : RuleMatcher {
+            override val description = "hasConcludedLicense()"
+
+            override fun matches(): Boolean {
+                val concludedLicense = resolvedLicenseInfo.licenseInfo.concludedLicenseInfo.concludedLicense
+                return concludedLicense != null && concludedLicense.toString() != SpdxConstants.NOASSERTION
+            }
+        }
+
     /**
      * A [RuleMatcher] that checks if the [package][pkg] is [excluded][Excludes].
      */
diff --git a/evaluator/src/test/kotlin/PackageRuleTest.kt b/evaluator/src/test/kotlin/PackageRuleTest.kt
@@ -23,23 +23,29 @@ import io.kotest.core.spec.style.WordSpec
 import io.kotest.matchers.shouldBe
 
 import org.ossreviewtoolkit.model.CuratedPackage
+import org.ossreviewtoolkit.model.Identifier
 import org.ossreviewtoolkit.model.LicenseSource
+import org.ossreviewtoolkit.model.OrtResult
 import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.licenses.ResolvedLicense
 import org.ossreviewtoolkit.model.licenses.ResolvedOriginalExpression
+import org.ossreviewtoolkit.utils.spdx.SpdxConstants
+import org.ossreviewtoolkit.utils.spdx.SpdxExpression.Strictness
 import org.ossreviewtoolkit.utils.spdx.SpdxLicenseIdExpression
 import org.ossreviewtoolkit.utils.spdx.SpdxSingleLicenseExpression
+import org.ossreviewtoolkit.utils.spdx.toSpdx
 
 class PackageRuleTest : WordSpec() {
-    private val ruleSet = ruleSet(ortResult)
+    private fun createPackageRule(pkg: Package): PackageRule {
+        val ruleSet = ruleSet(ortResult.addPackage(pkg))
 
-    private fun createPackageRule(pkg: Package) =
-        PackageRule(
+        return PackageRule(
             ruleSet = ruleSet,
             name = "test",
             pkg = CuratedPackage(pkg),
             resolvedLicenseInfo = ruleSet.licenseInfoResolver.resolveLicenseInfo(pkg.id)
         )
+    }
 
     private fun PackageRule.createLicenseRule(license: SpdxSingleLicenseExpression, licenseSource: LicenseSource) =
         LicenseRule(
@@ -98,6 +104,32 @@ class PackageRuleTest : WordSpec() {
             }
         }
 
+        "hasConcludedLicense()" should {
+            "return true if the concluded license is a license expression" {
+                val rule = createPackageRule(packageWithConcludedLicense("MIT"))
+
+                rule.hasConcludedLicense().matches() shouldBe true
+            }
+
+            "return true if the concluded license is ${SpdxConstants.NONE}" {
+                val rule = createPackageRule(packageWithConcludedLicense(SpdxConstants.NONE))
+
+                rule.hasConcludedLicense().matches() shouldBe true
+            }
+
+            "return false if the concluded license is ${SpdxConstants.NOASSERTION}" {
+                val rule = createPackageRule(packageWithConcludedLicense(SpdxConstants.NOASSERTION))
+
+                rule.hasConcludedLicense().matches() shouldBe false
+            }
+
+            "return false if the concluded license is null" {
+                val rule = createPackageRule(packageWithConcludedLicense(null))
+
+                rule.hasConcludedLicense().matches() shouldBe false
+            }
+        }
+
         "isExcluded()" should {
             "return true if the package is excluded" {
                 val rule = createPackageRule(packageExcluded)
@@ -243,3 +275,22 @@ class PackageRuleTest : WordSpec() {
         }
     }
 }
+
+private fun packageWithConcludedLicense(license: String?): Package =
+    Package.EMPTY.copy(
+        id = Identifier("Maven:some:package:0.0.1"),
+        concludedLicense = license?.toSpdx(Strictness.ALLOW_ANY)
+    )
+
+private fun OrtResult.addPackage(pkg: Package): OrtResult {
+    val analyzerResult = analyzer?.result ?: return this
+    if (pkg in analyzerResult.packages) return this
+
+    return copy(
+        analyzer = analyzer!!.copy(
+            result = analyzerResult.copy(
+                packages = analyzerResult.packages + pkg
+            )
+        )
+    )
+}
