Review comments

spoorcc · spoorcc · commit ab6bbb3c7e88 · 2026-04-10T20:33:47.000Z
diff --git a/dfetch/reporting/sbom_reporter.py b/dfetch/reporting/sbom_reporter.py
@@ -108,6 +108,7 @@
 """
 
 from decimal import Decimal
+from importlib.metadata import PackageNotFoundError
 from importlib.metadata import version as pkg_version
 
 from cyclonedx.builder.this import this_component as cdx_lib_component
@@ -140,6 +141,7 @@
 from dfetch.manifest.manifest import Manifest
 from dfetch.manifest.project import ProjectEntry
 from dfetch.reporting.reporter import Reporter
+from dfetch.util.license import License as DfetchLicense
 from dfetch.util.license import LicenseScanResult
 from dfetch.util.purl import vcs_url_to_purl
 from dfetch.vcs.archive import archive_url_to_purl, is_archive_url
@@ -152,7 +154,10 @@
 
 
 #: Version of the *infer-license* library used for license text analysis.
-INFER_LICENSE_VERSION: str = pkg_version("infer-license")
+try:
+    INFER_LICENSE_VERSION: str = pkg_version("infer-license")
+except PackageNotFoundError:
+    INFER_LICENSE_VERSION = "unknown"
 
 # Map from dfetch hash-field algorithm prefix to CycloneDX HashAlgorithm name
 DFETCH_TO_CDX_HASH_ALGORITHM: dict[str, str] = {
@@ -361,6 +366,28 @@ def _apply_vcs_refs(component: Component, purl: PackageURL) -> None:
                 )
             )
 
+    @staticmethod
+    def _attach_identified_licenses(
+        component: Component, identified: list[DfetchLicense]
+    ) -> None:
+        """Add each identified license to *component* and record its confidence."""
+        for lic in identified:
+            cdx_license = (
+                CycloneDxLicense(id=lic.spdx_id)
+                if lic.spdx_id
+                else CycloneDxLicense(name=lic.name)
+            )
+            component.licenses.add(cdx_license)
+            if component.evidence:
+                component.evidence.licenses.add(cdx_license)
+            label = lic.spdx_id or lic.name or "unknown"
+            component.properties.add(
+                Property(
+                    name=f"dfetch:license:{label}:confidence",
+                    value=f"{lic.probability:.2f}",
+                )
+            )
+
     @staticmethod
     def _apply_licenses(component: Component, license_scan: LicenseScanResult) -> None:
         """Attach license information to *component* and its evidence block.
@@ -397,38 +424,28 @@ def _apply_licenses(component: Component, license_scan: LicenseScanResult) -> No
         )
 
         if license_scan.identified:
-            for lic in license_scan.identified:
-                cdx_license = (
-                    CycloneDxLicense(id=lic.spdx_id)
-                    if lic.spdx_id
-                    else CycloneDxLicense(name=lic.name)
-                )
-                component.licenses.add(cdx_license)
-                if component.evidence:
-                    component.evidence.licenses.add(cdx_license)
-                # Record per-license confidence so auditors can compare against
-                # the threshold and re-evaluate if the threshold changes.
-                label = lic.spdx_id or lic.name or "unknown"
-                component.properties.add(
-                    Property(
-                        name=f"dfetch:license:{label}:confidence",
-                        value=f"{lic.probability:.2f}",
-                    )
-                )
-            return
-
-        noassertion = CycloneDxLicense(name="NOASSERTION")
-        component.licenses.add(noassertion)
-        if component.evidence:
-            component.evidence.licenses.add(noassertion)
+            SbomReporter._attach_identified_licenses(component, license_scan.identified)
+        else:
+            noassertion = CycloneDxLicense(name="NOASSERTION")
+            component.licenses.add(noassertion)
+            if component.evidence:
+                component.evidence.licenses.add(noassertion)
 
         if license_scan.unclassified_files:
             files_str = ", ".join(sorted(license_scan.unclassified_files))
-            finding = f"License file(s) found ({files_str}) but could not be classified"
-        else:
-            finding = "No license file found in source tree"
-
-        component.properties.add(Property(name="dfetch:license:finding", value=finding))
+            component.properties.add(
+                Property(
+                    name="dfetch:license:finding",
+                    value=f"License file(s) found ({files_str}) but could not be classified",
+                )
+            )
+        elif not license_scan.identified:
+            component.properties.add(
+                Property(
+                    name="dfetch:license:finding",
+                    value="No license file found in source tree",
+                )
+            )
 
     def dump_to_file(self, outfile: str) -> bool:
         """Dump the SBoM to file."""
diff --git a/features/report-sbom-license.feature b/features/report-sbom-license.feature
@@ -51,7 +51,7 @@ Feature: SBOM license transparency for unresolved licenses
                             },
                             {
                                 "name": "dfetch:license:tool",
-                                "value": "infer-license 0.2.0"
+                                "value": "<infer-license-version>"
                             }
                         ],
                         "evidence": {
@@ -108,7 +108,7 @@ Feature: SBOM license transparency for unresolved licenses
                             },
                             {
                                 "name": "dfetch:license:tool",
-                                "value": "infer-license 0.2.0"
+                                "value": "<infer-license-version>"
                             }
                         ],
                         "evidence": {
diff --git a/features/report-sbom.feature b/features/report-sbom.feature
@@ -105,7 +105,7 @@ Feature: Create an CycloneDX sbom
                             },
                             {
                                 "name": "dfetch:license:tool",
-                                "value": "infer-license 0.2.0"
+                                "value": "<infer-license-version>"
                             }
                         ],
                         "type": "library",
diff --git a/features/steps/generic_steps.py b/features/steps/generic_steps.py
@@ -18,6 +18,7 @@
 
 from dfetch.__main__ import DfetchFatalException, run
 from dfetch.log import DLogger
+from dfetch.reporting.sbom_reporter import INFER_LICENSE_VERSION
 from dfetch.util.util import in_directory
 
 ansi_escape = re.compile(r"\[/?[a-z\_ ]+\]")
@@ -94,6 +95,9 @@ def apply_archive_substitutions(text: str, context) -> str:
         text = text.replace("<archive-sha512>", context.archive_sha512)
     if hasattr(context, "archive_url"):
         text = text.replace("<archive-url>", context.archive_url)
+    text = text.replace(
+        "<infer-license-version>", f"infer-license {INFER_LICENSE_VERSION}"
+    )
     return text
 
 

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ Feature: SBOM license transparency for unresolved licenses`
`51`	`51`	`},`
`52`	`52`	`{`
`53`	`53`	`"name": "dfetch:license:tool",`
`54`		`- "value": "infer-license 0.2.0"`
	`54`	`+ "value": "<infer-license-version>"`
`55`	`55`	`}`
`56`	`56`	`],`
`57`	`57`	`"evidence": {`
`@@ -108,7 +108,7 @@ Feature: SBOM license transparency for unresolved licenses`
`108`	`108`	`},`
`109`	`109`	`{`
`110`	`110`	`"name": "dfetch:license:tool",`
`111`		`- "value": "infer-license 0.2.0"`
	`111`	`+ "value": "<infer-license-version>"`
`112`	`112`	`}`
`113`	`113`	`],`
`114`	`114`	`"evidence": {`
Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ Feature: Create an CycloneDX sbom`
`105`	`105`	`},`
`106`	`106`	`{`
`107`	`107`	`"name": "dfetch:license:tool",`
`108`		`- "value": "infer-license 0.2.0"`
	`108`	`+ "value": "<infer-license-version>"`
`109`	`109`	`}`
`110`	`110`	`],`
`111`	`111`	`"type": "library",`