feat(scanner): Store detected and effective license in database

Store detected licenses and effective license for packages and projects
during the scanner phase to make them easily available via API routes
without having to traverse all license findings from scan results.

- Add detectedLicenses and effectiveLicense columns to packages and
  projects tables (Flyway V139 migration)
- Add fields to Package and Project models
- Add DAO support for new columns with comma-separated serialization
- Create LicenseComputation.kt with functions to compute licenses
- Integrate license computation in ScannerWorker
- Expose new fields in API v1 Package and Project responses
- Add unit tests for DAO and LicenseComputation

Resolves #4607.

Author: sschuberth

api/v1/mapping/src/commonMain/kotlin/ApiMappings.kt

@@ -809,7 +809,9 @@ fun Package.mapToApi(
     shortestDependencyPaths = shortestDependencyPaths.map { it.mapToApi() },
     curations = curations,
     sourceCodeOrigins = sourceCodeOrigins?.map { it.mapToApi() },
-    labels = labels
+    labels = labels,
+    detectedLicenses = detectedLicenses,
+    effectiveLicense = effectiveLicense
 )
 
 fun PackageCurationData.mapToApi() = ApiPackageCurationData(
@@ -859,7 +861,9 @@ fun Project.mapToApi() = ApiProject(
     vcsProcessed = vcsProcessed.mapToApi(),
     description = description,
     homepageUrl = homepageUrl,
-    scopeNames = scopeNames
+    scopeNames = scopeNames,
+    detectedLicenses = detectedLicenses,
+    effectiveLicense = effectiveLicense
 )
 
 fun UserDisplayName.mapToApi() = ApiUserDisplayName(username = username, fullName = fullName)

api/v1/model/src/commonMain/kotlin/Package.kt

@@ -40,7 +40,9 @@ data class Package(
     val shortestDependencyPaths: List<ShortestDependencyPath>,
     val curations: List<PackageCuration>,
     val sourceCodeOrigins: List<SourceCodeOrigin>? = null,
-    val labels: Map<String, String> = emptyMap()
+    val labels: Map<String, String> = emptyMap(),
+    val detectedLicenses: Set<String> = emptySet(),
+    val effectiveLicense: String? = null
 )
 
 /**

api/v1/model/src/commonMain/kotlin/Project.kt

@@ -33,5 +33,7 @@ data class Project(
     val vcsProcessed: VcsInfo,
     val description: String,
     val homepageUrl: String,
-    val scopeNames: Set<String>
+    val scopeNames: Set<String>,
+    val detectedLicenses: Set<String> = emptySet(),
+    val effectiveLicense: String? = null
 )

dao/src/main/kotlin/queries/analyzer/GetPackagesForAnalyzerRunQuery.kt

@@ -149,7 +149,13 @@ class GetPackagesForAnalyzerRunQuery(
                 vcs = vcs,
                 vcsProcessed = vcsProcessed,
                 isMetadataOnly = resultRow[PackagesTable.isMetadataOnly],
-                isModified = resultRow[PackagesTable.isModified]
+                isModified = resultRow[PackagesTable.isModified],
+                detectedLicenses = resultRow[PackagesTable.detectedLicenses]
+                    ?.split(",")
+                    ?.filterNot { it.isEmpty() }
+                    ?.toSet()
+                    .orEmpty(),
+                effectiveLicense = resultRow[PackagesTable.effectiveLicense]
             )
         }
     }

dao/src/main/kotlin/queries/analyzer/GetProjectsForAnalyzerRunQuery.kt

@@ -120,7 +120,13 @@ class GetProjectsForAnalyzerRunQuery(
                 vcsProcessed = vcsProcessed,
                 description = resultRow[ProjectsTable.description],
                 homepageUrl = resultRow[ProjectsTable.homepageUrl],
-                scopeNames = scopeNamesByProjectId[projectId].orEmpty()
+                scopeNames = scopeNamesByProjectId[projectId].orEmpty(),
+                detectedLicenses = resultRow[ProjectsTable.detectedLicenses]
+                    ?.split(",")
+                    ?.filterNot { it.isEmpty() }
+                    ?.toSet()
+                    .orEmpty(),
+                effectiveLicense = resultRow[ProjectsTable.effectiveLicense]
             )
         }
     }

dao/src/main/kotlin/repositories/analyzerrun/DaoAnalyzerRunRepository.kt

@@ -211,6 +211,9 @@ private fun insertProject(
 
     createProcessedDeclaredLicense(project.processedDeclaredLicense, projectDao = projectDao)
 
+    projectDao.detectedLicenses = project.detectedLicenses.joinToString(",").takeIf { it.isNotEmpty() }
+    projectDao.effectiveLicense = project.effectiveLicense
+
     return projectDao
 }
 
@@ -284,6 +287,9 @@ private fun insertPackage(
 
     createProcessedDeclaredLicense(pkg.processedDeclaredLicense, pkgDao = pkgDao)
 
+    pkgDao.detectedLicenses = pkg.detectedLicenses.joinToString(",").takeIf { it.isNotEmpty() }
+    pkgDao.effectiveLicense = pkg.effectiveLicense
+
     return pkgDao
 }
 

dao/src/main/kotlin/repositories/analyzerrun/PackagesTable.kt

@@ -62,6 +62,8 @@ object PackagesTable : SortableTable("packages") {
     val isMetadataOnly = bool("is_metadata_only").default(false)
     val isModified = bool("is_modified").default(false)
     val sourceCodeOrigins = text("source_code_origins").nullable()
+    val detectedLicenses = text("detected_licenses").nullable()
+    val effectiveLicense = text("effective_license").nullable()
 }
 
 class PackageDao(id: EntityID<Long>) : LongEntity(id) {
@@ -185,6 +187,8 @@ class PackageDao(id: EntityID<Long>) : LongEntity(id) {
             ProcessedDeclaredLicensesTable.packageId
 
     var sourceCodeOrigins by PackagesTable.sourceCodeOrigins
+    var detectedLicenses by PackagesTable.detectedLicenses
+    var effectiveLicense by PackagesTable.effectiveLicense
     val labels by PackageLabelDao referrersOn PackageLabelsTable.packageId
 
     fun mapToModel() = Package(
@@ -206,6 +210,12 @@ class PackageDao(id: EntityID<Long>) : LongEntity(id) {
             ?.split(",")
             ?.filterNot { it.isEmpty() }
             ?.map { SourceCodeOrigin.valueOf(it) },
-        labels = labels.associate { it.key to it.value }
+        labels = labels.associate { it.key to it.value },
+        detectedLicenses = detectedLicenses
+            ?.split(",")
+            ?.filterNot { it.isEmpty() }
+            ?.toSet()
+            .orEmpty(),
+        effectiveLicense = effectiveLicense
     )
 }

dao/src/main/kotlin/repositories/analyzerrun/ProjectsTable.kt

@@ -53,6 +53,8 @@ object ProjectsTable : SortableTable("projects") {
     val definitionFilePath = text("definition_file_path")
     val description = text("description")
     val homepageUrl = text("homepage_url")
+    val detectedLicenses = text("detected_licenses").nullable()
+    val effectiveLicense = text("effective_license").nullable()
 }
 
 class ProjectDao(id: EntityID<Long>) : LongEntity(id) {
@@ -134,6 +136,9 @@ class ProjectDao(id: EntityID<Long>) : LongEntity(id) {
     val processedDeclaredLicense by ProcessedDeclaredLicenseDao backReferencedOn
             ProcessedDeclaredLicensesTable.projectId
 
+    var detectedLicenses by ProjectsTable.detectedLicenses
+    var effectiveLicense by ProjectsTable.effectiveLicense
+
     fun mapToModel() = Project(
         identifier = identifier.mapToModel(),
         cpe = cpe,
@@ -145,6 +150,12 @@ class ProjectDao(id: EntityID<Long>) : LongEntity(id) {
         vcsProcessed = vcsProcessed.mapToModel(),
         description = description,
         homepageUrl = homepageUrl,
-        scopeNames = scopeNames.mapTo(mutableSetOf(), ProjectScopeDao::name)
+        scopeNames = scopeNames.mapTo(mutableSetOf(), ProjectScopeDao::name),
+        detectedLicenses = detectedLicenses
+            ?.split(",")
+            ?.filterNot { it.isEmpty() }
+            ?.toSet()
+            .orEmpty(),
+        effectiveLicense = effectiveLicense
     )
 }

dao/src/main/resources/db/migration/V142__storeLicensesInDatabase.sql

@@ -0,0 +1,7 @@
+ALTER TABLE packages
+    ADD COLUMN detected_licenses TEXT,
+    ADD COLUMN effective_license TEXT;
+
+ALTER TABLE projects
+    ADD COLUMN detected_licenses TEXT,
+    ADD COLUMN effective_license TEXT;

dao/src/test/kotlin/repositories/analyzerrun/DaoAnalyzerRunRepositoryTest.kt

@@ -143,6 +143,38 @@ class DaoAnalyzerRunRepositoryTest : StringSpec({
         dbExtension.db.dbQuery { ProjectsTable.selectAll().count() } shouldBe 1
     }
 
+    "create should deduplicate packages when license fields differ" {
+        val pkg1 = createPackage(1).copy(
+            detectedLicenses = setOf("MIT"),
+            effectiveLicense = "MIT"
+        )
+        val pkg2 = createPackage(1).copy(
+            detectedLicenses = setOf("Apache-2.0"),
+            effectiveLicense = "Apache-2.0"
+        )
+
+        analyzerRunRepository.create(analyzerJobId, analyzerRun.copy(packages = setOf(pkg1)))
+        analyzerRunRepository.create(analyzerJobId, analyzerRun.copy(packages = setOf(pkg2)))
+
+        dbExtension.db.dbQuery { PackagesTable.selectAll().count() } shouldBe 1
+    }
+
+    "create should deduplicate projects when license fields differ" {
+        val project1 = project.copy(
+            detectedLicenses = setOf("MIT"),
+            effectiveLicense = "MIT"
+        )
+        val project2 = project.copy(
+            detectedLicenses = setOf("Apache-2.0"),
+            effectiveLicense = "Apache-2.0"
+        )
+
+        analyzerRunRepository.create(analyzerJobId, analyzerRun.copy(projects = setOf(project1)))
+        analyzerRunRepository.create(analyzerJobId, analyzerRun.copy(projects = setOf(project2)))
+
+        dbExtension.db.dbQuery { ProjectsTable.selectAll().count() } shouldBe 1
+    }
+
     "create should handle unique constraint violations" {
         val txCount = 64
         withContext(Dispatchers.IO) {