fix(scanner): Apply curations before storing detected licenses

Joelp03 · Joelp03 · commit ed6934cbb5c9 · 2026-04-20T15:13:17.000-04:00
Detected licenses must have PackageCuration and
PackageConfiguration applied before storing, otherwise
wrong data could be shown.

- Change computeDetectedLicenses to use LicenseInfoResolver
  which applies LicenseFindingCuration and PathExclude from
  PackageConfiguration
- Remove scannerRun parameter from computeAndStoreLicenses
  since it's no longer needed after using LicenseInfoResolver

Signed-off-by: Joelp03 &lt;joelpimentel1995@gmail.com&gt;
diff --git a/dao/src/main/resources/db/migration/V146__storeLicensesInDatabase.sql b/dao/src/main/resources/db/migration/V146__storeLicensesInDatabase.sql
diff --git a/workers/scanner/src/main/kotlin/LicenseComputation.kt b/workers/scanner/src/main/kotlin/LicenseComputation.kt
@@ -30,24 +30,27 @@ import org.eclipse.apoapsis.ortserver.services.ortrun.mapToModel
 import org.jetbrains.exposed.v1.core.eq
 
 import org.ossreviewtoolkit.model.Identifier as OrtIdentifier
+import org.ossreviewtoolkit.model.LicenseSource
 import org.ossreviewtoolkit.model.OrtResult
-import org.ossreviewtoolkit.model.ScannerRun
 import org.ossreviewtoolkit.model.licenses.LicenseInfoResolver
 import org.ossreviewtoolkit.model.licenses.LicenseView
 
 /**
- * Compute detected licenses for a package or project by aggregating license findings across all scan results
- * for the given [id]. Returns the union of all license strings found in all provenances.
+ * Compute detected licenses for a package or project using the [licenseInfoResolver].
+ *
+ * Returns the set of licenses with [LicenseSource.DETECTED], which respects LicenseFindingCuration and PathExclude
+ * from PackageConfiguration.
  */
 fun computeDetectedLicenses(
-    scannerRun: ScannerRun,
+    licenseInfoResolver: LicenseInfoResolver,
     id: OrtIdentifier
-): Set<String> =
-    scannerRun.getAllScanResults()[id]
-        .orEmpty()
-        .flatMap { scanResult -> scanResult.summary.licenseFindings }
-        .map { licenseFinding -> licenseFinding.license.toString() }
+): Set<String> {
+    val resolvedLicenseInfo = licenseInfoResolver.resolveLicenseInfo(id)
+    return resolvedLicenseInfo.licenses
+        .filter { it.sources.any { source -> source == LicenseSource.DETECTED } }
+        .map { it.license.toString() }
         .toSet()
+}
 
 /**
  * Compute the effective license for a package or project using the [licenseInfoResolver].
@@ -66,19 +69,17 @@ fun computeEffectiveLicense(
 
 /**
  * Compute detected and effective licenses for all packages and projects in the [ortResult] and store them in the
- * database. Uses the [scannerRun] to aggregate detected licenses across all provenances and the
- * [licenseInfoResolver] to compute effective licenses.
+ * database. Uses the [licenseInfoResolver] to compute both detected and effective licenses with curations applied.
  */
 fun computeAndStoreLicenses(
     ortResult: OrtResult,
-    scannerRun: ScannerRun,
     licenseInfoResolver: LicenseInfoResolver
 ) {
     for (curatedPackage in ortResult.getPackages()) {
         val id = curatedPackage.metadata.id
         val modelId = id.mapToModel()
 
-        val detectedLicenses = computeDetectedLicenses(scannerRun, id)
+        val detectedLicenses = computeDetectedLicenses(licenseInfoResolver, id)
         val effectiveLicense = computeEffectiveLicense(licenseInfoResolver, id)
 
         if (detectedLicenses.isNotEmpty() || effectiveLicense != null) {
@@ -90,7 +91,7 @@ fun computeAndStoreLicenses(
         val id = project.id
         val modelId = id.mapToModel()
 
-        val detectedLicenses = computeDetectedLicenses(scannerRun, id)
+        val detectedLicenses = computeDetectedLicenses(licenseInfoResolver, id)
         val effectiveLicense = computeEffectiveLicense(licenseInfoResolver, id)
 
         if (detectedLicenses.isNotEmpty() || effectiveLicense != null) {
diff --git a/workers/scanner/src/main/kotlin/ScannerWorker.kt b/workers/scanner/src/main/kotlin/ScannerWorker.kt
@@ -111,7 +111,6 @@ class ScannerWorker(
             db.dbQuery {
                 computeAndStoreLicenses(
                     ortResult = ortResult,
-                    scannerRun = scannerRunResult.scannerRun,
                     licenseInfoResolver = licenseInfoResolver
                 )
             }
diff --git a/workers/scanner/src/test/kotlin/LicenseComputationTest.kt b/workers/scanner/src/test/kotlin/LicenseComputationTest.kt
@@ -21,134 +21,115 @@ package org.eclipse.apoapsis.ortserver.workers.scanner
 
 import io.kotest.core.spec.style.StringSpec
 import io.kotest.matchers.collections.shouldBeEmpty
-import io.kotest.matchers.collections.shouldContainExactlyInAnyOrder
+import io.kotest.matchers.collections.shouldContain
 import io.kotest.matchers.nulls.shouldBeNull
 import io.kotest.matchers.shouldBe
 
-import io.mockk.every
 import io.mockk.mockk
 
-import java.time.Instant
+import org.eclipse.apoapsis.ortserver.shared.orttestdata.OrtTestData
 
-import org.ossreviewtoolkit.model.ArtifactProvenance
-import org.ossreviewtoolkit.model.Hash
 import org.ossreviewtoolkit.model.Identifier
-import org.ossreviewtoolkit.model.LicenseFinding
 import org.ossreviewtoolkit.model.OrtResult
-import org.ossreviewtoolkit.model.RemoteArtifact
-import org.ossreviewtoolkit.model.ScanResult
-import org.ossreviewtoolkit.model.ScanSummary
-import org.ossreviewtoolkit.model.ScannerDetails
-import org.ossreviewtoolkit.model.ScannerRun
-import org.ossreviewtoolkit.model.TextLocation
+import org.ossreviewtoolkit.model.config.CopyrightGarbage
+import org.ossreviewtoolkit.model.config.LicenseFilePatterns
 import org.ossreviewtoolkit.model.licenses.DefaultLicenseInfoProvider
 import org.ossreviewtoolkit.model.licenses.LicenseInfoResolver
 
 class LicenseComputationTest : StringSpec({
-    "computeDetectedLicenses should aggregate licenses across multiple provenances" {
-        val id = Identifier("Maven", "com.example", "test-pkg", "1.0")
+    "computeDetectedLicenses returns curated licenses using OrtTestData" {
+        val id = OrtTestData.pkgIdentifier
 
-        val provenance1 = ArtifactProvenance(
-            sourceArtifact = RemoteArtifact(
-                url = "https://example.com/pkg1.jar",
-                hash = Hash.NONE
-            )
-        )
-        val provenance2 = ArtifactProvenance(
-            sourceArtifact = RemoteArtifact(
-                url = "https://example.com/pkg2.jar",
-                hash = Hash.NONE
-            )
-        )
+        val ortResult = OrtTestData.result
 
-        val scanResult1 = ScanResult(
-            provenance = provenance1,
-            scanner = ScannerDetails("scanner1", "1.0", ""),
-            summary = ScanSummary(
-                startTime = Instant.now(),
-                endTime = Instant.now(),
-                licenseFindings = setOf(
-                    LicenseFinding("MIT", TextLocation("file1.txt", 1)),
-                    LicenseFinding("Apache-2.0", TextLocation("file2.txt", 1))
-                )
-            )
+        val resolver = LicenseInfoResolver(
+            provider = DefaultLicenseInfoProvider(ortResult),
+            copyrightGarbage = CopyrightGarbage(),
+            addAuthorsToCopyrights = false,
+            archiver = mockk(relaxed = true),
+            licenseFilePatterns = LicenseFilePatterns.DEFAULT
         )
 
-        val scanResult2 = ScanResult(
-            provenance = provenance2,
-            scanner = ScannerDetails("scanner2", "1.0", ""),
-            summary = ScanSummary(
-                startTime = Instant.now(),
-                endTime = Instant.now(),
-                licenseFindings = setOf(
-                    LicenseFinding("Apache-2.0", TextLocation("file3.txt", 1)),
-                    LicenseFinding("GPL-3.0", TextLocation("file4.txt", 1))
+        val result = computeDetectedLicenses(resolver, id)
+
+        result shouldContain "LicenseRef-detected1-concluded"
+        result shouldContain "LicenseRef-detected2"
+        result shouldContain "LicenseRef-detected3"
+    }
+
+    "computeDetectedLicenses returns all detected licenses when no curations exist" {
+        val id = OrtTestData.pkgIdentifier
+
+        val ortResult = OrtTestData.result.copy(
+            repository = OrtTestData.repository.copy(
+                config = OrtTestData.repository.config.copy(
+                    packageConfigurations = emptyList()
                 )
+            ),
+            resolvedConfiguration = OrtTestData.resolvedConfiguration.copy(
+                packageConfigurations = emptyList()
             )
         )
 
-        val scannerRun = mockk<ScannerRun>(relaxed = true) {
-            every { getAllScanResults() } returns mapOf(id to listOf(scanResult1, scanResult2))
-        }
+        val resolver = LicenseInfoResolver(
+            provider = DefaultLicenseInfoProvider(ortResult),
+            copyrightGarbage = CopyrightGarbage(),
+            addAuthorsToCopyrights = false,
+            archiver = mockk(relaxed = true),
+            licenseFilePatterns = LicenseFilePatterns.DEFAULT
+        )
 
-        val result = computeDetectedLicenses(scannerRun, id)
+        val result = computeDetectedLicenses(resolver, id)
 
-        result shouldContainExactlyInAnyOrder setOf("MIT", "Apache-2.0", "GPL-3.0")
+        result shouldContain "LicenseRef-detected1"
+        result shouldContain "LicenseRef-detected2"
+        result shouldContain "LicenseRef-detected3"
+        result shouldContain "LicenseRef-detected-excluded"
     }
 
-    "computeDetectedLicenses should return empty set when no scan results exist" {
+    "computeDetectedLicenses returns empty set when no scan results for id" {
         val id = Identifier("Maven", "com.example", "no-scan-pkg", "1.0")
 
-        val scannerRun = mockk<ScannerRun>(relaxed = true) {
-            every { getAllScanResults() } returns emptyMap()
-        }
+        val ortResult = OrtResult.EMPTY
 
-        val result = computeDetectedLicenses(scannerRun, id)
+        val resolver = LicenseInfoResolver(
+            provider = DefaultLicenseInfoProvider(ortResult),
+            copyrightGarbage = CopyrightGarbage(),
+            addAuthorsToCopyrights = false,
+            archiver = mockk(relaxed = true),
+            licenseFilePatterns = LicenseFilePatterns.DEFAULT
+        )
+
+        val result = computeDetectedLicenses(resolver, id)
 
         result.shouldBeEmpty()
     }
 
-    "computeDetectedLicenses should deduplicate licenses across provenances" {
-        val id = Identifier("NPM", "@example", "lib", "2.0")
-
-        val provenance = ArtifactProvenance(
-            sourceArtifact = RemoteArtifact(
-                url = "https://example.com/lib.tgz",
-                hash = Hash.NONE
-            )
-        )
-
-        val scanResult1 = ScanResult(
-            provenance = provenance,
-            scanner = ScannerDetails("scanner1", "1.0", ""),
-            summary = ScanSummary(
-                startTime = Instant.now(),
-                endTime = Instant.now(),
-                licenseFindings = setOf(
-                    LicenseFinding("MIT", TextLocation("a.txt", 1))
+    "computeDetectedLicenses deduplicates licenses across provenances" {
+        val ortResult = OrtTestData.result.copy(
+            repository = OrtTestData.repository.copy(
+                config = OrtTestData.repository.config.copy(
+                    packageConfigurations = emptyList()
                 )
+            ),
+            resolvedConfiguration = OrtTestData.resolvedConfiguration.copy(
+                packageConfigurations = emptyList()
             )
         )
+        val id = OrtTestData.pkgIdentifier
 
-        val scanResult2 = ScanResult(
-            provenance = provenance,
-            scanner = ScannerDetails("scanner2", "1.0", ""),
-            summary = ScanSummary(
-                startTime = Instant.now(),
-                endTime = Instant.now(),
-                licenseFindings = setOf(
-                    LicenseFinding("MIT", TextLocation("b.txt", 1))
-                )
-            )
+        val resolver = LicenseInfoResolver(
+            provider = DefaultLicenseInfoProvider(ortResult),
+            copyrightGarbage = CopyrightGarbage(),
+            addAuthorsToCopyrights = false,
+            archiver = mockk(relaxed = true),
+            licenseFilePatterns = LicenseFilePatterns.DEFAULT
         )
 
-        val scannerRun = mockk<ScannerRun>(relaxed = true) {
-            every { getAllScanResults() } returns mapOf(id to listOf(scanResult1, scanResult2))
-        }
-
-        val result = computeDetectedLicenses(scannerRun, id)
+        val result = computeDetectedLicenses(resolver, id)
 
-        result shouldBe setOf("MIT")
+        val licenseCounts = result.groupingBy { it }.eachCount()
+        licenseCounts.values.all { it == 1 } shouldBe true
     }
 
     "computeEffectiveLicense should return null when no license info is available" {
@@ -157,10 +138,10 @@ class LicenseComputationTest : StringSpec({
         val ortResult = OrtResult.EMPTY
         val resolver = LicenseInfoResolver(
             provider = DefaultLicenseInfoProvider(ortResult),
-            copyrightGarbage = org.ossreviewtoolkit.model.config.CopyrightGarbage(),
+            copyrightGarbage = CopyrightGarbage(),
             addAuthorsToCopyrights = false,
             archiver = mockk(relaxed = true),
-            licenseFilePatterns = org.ossreviewtoolkit.model.config.LicenseFilePatterns.DEFAULT
+            licenseFilePatterns = LicenseFilePatterns.DEFAULT
         )
 
         val result = computeEffectiveLicense(resolver, id)
diff --git a/workers/scanner/src/test/kotlin/ScannerWorkerTest.kt b/workers/scanner/src/test/kotlin/ScannerWorkerTest.kt
@@ -123,7 +123,7 @@ class ScannerWorkerTest : StringSpec({
         every { buildLicenseInfoResolver(any(), any(), any()) } returns mockk(relaxed = true)
 
         mockkStatic("org.eclipse.apoapsis.ortserver.workers.scanner.LicenseComputationKt")
-        every { computeAndStoreLicenses(any(), any(), any()) } just runs
+        every { computeAndStoreLicenses(any(), any()) } just runs
 
         val ortRunService = mockk<OrtRunService> {
             every { createScannerRun(any()) } returns mockk {
@@ -234,7 +234,7 @@ class ScannerWorkerTest : StringSpec({
         every { buildLicenseInfoResolver(any(), any(), any()) } returns mockk(relaxed = true)
 
         mockkStatic("org.eclipse.apoapsis.ortserver.workers.scanner.LicenseComputationKt")
-        every { computeAndStoreLicenses(any(), any(), any()) } just runs
+        every { computeAndStoreLicenses(any(), any()) } just runs
 
         val ortRunService = mockk<OrtRunService> {
             every { createScannerRun(any()) } returns mockk {
@@ -435,7 +435,7 @@ class ScannerWorkerTest : StringSpec({
         every { buildLicenseInfoResolver(any(), any(), any()) } returns mockk(relaxed = true)
 
         mockkStatic("org.eclipse.apoapsis.ortserver.workers.scanner.LicenseComputationKt")
-        every { computeAndStoreLicenses(any(), any(), any()) } just runs
+        every { computeAndStoreLicenses(any(), any()) } just runs
 
         val ortRunService = mockk<OrtRunService> {
             every { createScannerRun(any()) } returns mockk {

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,6 @@ class ScannerWorker(`
`111`	`111`	`db.dbQuery {`
`112`	`112`	`computeAndStoreLicenses(`
`113`	`113`	`ortResult = ortResult,`
`114`		`- scannerRun = scannerRunResult.scannerRun,`
`115`	`114`	`licenseInfoResolver = licenseInfoResolver`
`116`	`115`	`)`
`117`	`116`	`}`