Support multiple licenses per project

Author: spoorcc

CHANGELOG.rst

@@ -8,6 +8,7 @@ Release 0.11.0 (unreleased)
 * Use CycloneDX schema version 1.6 (#542)
 * Add security policy (#784)
 * Add provenance / release attestation to pypi package (#784)
+* Support multiple licenses per project (#788)
 
 Release 0.10.0 (released 2025-03-12)
 ====================================

dfetch/commands/report.py

@@ -6,8 +6,7 @@
 import argparse
 import glob
 import os
-
-import infer_license
+from typing import List, Tuple
 
 import dfetch.commands.command
 import dfetch.manifest.manifest
@@ -17,9 +16,12 @@
 from dfetch.project.metadata import Metadata
 from dfetch.project.vcs import VCS
 from dfetch.reporting import REPORTERS, ReportTypes
+from dfetch.util.license import guess_license_in_file
 
 logger = get_logger(__name__)
 
+LICENSE_PROBABILITY_THRESHOLD = 0.80
+
 
 class Report(dfetch.commands.command.Command):
     """Generate reports containing information about the projects components.
@@ -66,37 +68,38 @@ def __call__(self, args: argparse.Namespace) -> None:
 
         with dfetch.util.util.in_directory(os.path.dirname(path)):
             for project in manifest.selected_projects(args.projects):
-                determined_license = self._determine_license(project)
+                determined_licenses = self._determine_licenses(project)
                 version = self._determine_version(project)
                 reporter.add_project(
-                    project=project, license_name=determined_license, version=version
+                    project=project, license_names=determined_licenses, version=version
                 )
 
             if reporter.dump_to_file(args.outfile):
                 logger.info(f"Generated {reporter.name} report: {args.outfile}")
 
     @staticmethod
-    def _determine_license(project: ProjectEntry) -> str:
+    def _determine_licenses(project: ProjectEntry) -> List[Tuple[str, float]]:
         """Try to determine license of fetched project."""
         if not os.path.exists(project.destination):
             logger.print_warning_line(
                 project.name, "Never fetched, fetch it to get license info."
             )
-            return ""
+            return []
 
+        license_files = []
         with dfetch.util.util.in_directory(project.destination):
+
             for license_file in filter(VCS.is_license_file, glob.glob("*")):
                 logger.debug(f"Found license file {license_file} for {project.name}")
-                guessed_license = infer_license.api.guess_file(license_file)
+                guessed_license, probability = guess_license_in_file(license_file)
 
                 if guessed_license:
-                    return str(guessed_license.name)
-
-                logger.print_warning_line(
-                    project.name, f"Could not determine license in {license_file}"
-                )
-
-        return ""
+                    license_files.append((str(guessed_license.name), probability))
+                else:
+                    logger.print_warning_line(
+                        project.name, f"Could not determine license in {license_file}"
+                    )
+        return license_files
 
     @staticmethod
     def _determine_version(project: ProjectEntry) -> str:

dfetch/reporting/reporter.py

@@ -1,6 +1,7 @@
 """Abstract reporting interface."""
 
 from abc import ABC, abstractmethod
+from typing import List, Tuple
 
 from dfetch.manifest.project import ProjectEntry
 
@@ -12,7 +13,10 @@ class Reporter(ABC):
 
     @abstractmethod
     def add_project(
-        self, project: ProjectEntry, license_name: str, version: str
+        self,
+        project: ProjectEntry,
+        license_names: List[Tuple[str, float]],
+        version: str,
     ) -> None:
         """Add a project to the report."""
 

dfetch/reporting/sbom_reporter.py

@@ -15,6 +15,8 @@
         An fetched project generates an sbom
 """
 
+from typing import List, Tuple
+
 from cyclonedx.builder.this import this_component as cdx_lib_component
 from cyclonedx.model import ExternalReference, ExternalReferenceType, XsUri
 from cyclonedx.model.bom import Bom
@@ -48,7 +50,10 @@ def __init__(self) -> None:
         self._bom.metadata.tools.components.add(cdx_lib_component())
 
     def add_project(
-        self, project: ProjectEntry, license_name: str, version: str
+        self,
+        project: ProjectEntry,
+        license_names: List[Tuple[str, float]],
+        version: str,
     ) -> None:
         """Add a project to the report."""
         purl = dfetch.util.purl.remote_url_to_purl(
@@ -89,8 +94,8 @@ def add_project(
                     )
                 )
 
-        if license_name:
-            component.licenses.add(LicenseExpression(license_name))
+        for name, _ in license_names:
+            component.licenses.add(LicenseExpression(name))
         self._bom.components.add(component)
 
     def dump_to_file(self, outfile: str) -> bool:

dfetch/reporting/stdout_reporter.py

@@ -4,6 +4,8 @@
 from the manifest or the metadata (``.dfetch_data.yaml``).
 """
 
+from typing import List, Tuple
+
 from dfetch.log import get_logger
 from dfetch.manifest.project import ProjectEntry
 from dfetch.project.metadata import Metadata
@@ -18,7 +20,10 @@ class StdoutReporter(Reporter):
     name = "stdout"
 
     def add_project(
-        self, project: ProjectEntry, license_name: str, version: str
+        self,
+        project: ProjectEntry,
+        license_names: List[Tuple[str, float]],
+        version: str,
     ) -> None:
         """Add a project to the report."""
         del version
@@ -32,7 +37,9 @@ def add_project(
             logger.print_info_field("    last fetch", str(metadata.last_fetch))
             logger.print_info_field("    revision", metadata.revision)
             logger.print_info_field("    patch", metadata.patch)
-            logger.print_info_field("    license", license_name)
+            logger.print_info_field(
+                "    licenses", ",".join(license for license, _ in license_names)
+            )
 
         except FileNotFoundError:
             logger.print_info_field("    last fetch", "never")

dfetch/util/license.py

@@ -0,0 +1,27 @@
+"""*Dfetch* uses *Infer-License* to guess licenses from files."""
+
+import os
+from typing import Optional, Tuple, Union
+
+import infer_license
+from infer_license.types import License
+
+LICENSE_PROBABILITY_THRESHOLD = 0.80
+
+
+def guess_license_in_file(
+    filename: Union[str, "os.PathLike[str]"],
+) -> Tuple[Optional[License], float]:
+    """Guess license from file."""
+    try:
+        with open(filename, encoding="utf-8") as f:
+            license_text = f.read()
+    except UnicodeDecodeError:
+        with open(filename, encoding="latin-1") as f:
+            license_text = f.read()
+
+    probable_license = infer_license.api.probabilities(license_text)
+    if probable_license and probable_license[0][1] > LICENSE_PROBABILITY_THRESHOLD:
+        return probable_license[0]
+
+    return None, 0.0