chore(hfh):SP-4188 include license info into hfh results

Author: agustingroh

CHANGELOG.md

@@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added `--format raw` option to `folder-scan` command to export HFH results in snippet-scanner JSON format
   - Expands directory-level HFH results into per-file entries keyed by relative file path
   - Assigns each file to the most specific matching `path_id` (deepest directory match wins)
+- Added license decoration to folder hash scan results via dependency service
+  - Each component version in HFH results is now decorated with license information
+  - CycloneDX output uses pre-decorated licenses instead of making a separate dependency API call
 
 ## [1.50.0] - 2026-03-17
 ### Fixed

src/scanoss/scanners/scanner_hfh.py

@@ -117,17 +117,77 @@ def __init__(  # noqa: PLR0913
 
     def _execute_grpc_scan(self, hfh_request: Dict) -> None:
         """
-        Execute folder hash scan.
+        Execute folder hash scan and decorate results with license information.
 
         Args:
             hfh_request: Request dictionary for the gRPC call
         """
         try:
             self.scan_results = self.client.folder_hash_scan(hfh_request, self.use_grpc)
+            self._decorate_with_licenses()
         except Exception as e:
             self.base.print_stderr(f'Error during folder hash scan: {e}')
             self.scan_results = None
 
+    def _decorate_with_licenses(self) -> None:
+        """
+        Decorate each component version in scan results with license information
+        by calling the dependency service.
+        """
+        if not self.scan_results or not self.client:
+            return
+        results = self.scan_results.get('results', [])
+        if not results:
+            return
+
+        dep_files = []
+        for result in results:
+            path_id = result.get('path_id', '')
+            for component in result.get('components', []):
+                purl = component.get('purl', '')
+                if not purl:
+                    continue
+                for version_entry in component.get('versions', []):
+                    version = version_entry.get('version', '')
+                    if not version:
+                        continue
+                    dep_files.append({
+                        'file': path_id,
+                        'purls': [{'purl': purl, 'requirement': version}],
+                    })
+
+        if not dep_files:
+            return
+
+        try:
+            decorated = self.client.get_dependencies({'files': dep_files})
+        except Exception as e:
+            self.base.print_stderr(f'Warning: Failed to fetch license data: {e}')
+            return
+
+        if not decorated or 'files' not in decorated:
+            return
+
+        # Build lookup: purl@requirement -> licenses
+        license_map = {}
+        for dep_file in decorated.get('files', []):
+            for dep in dep_file.get('dependencies', []):
+                dep_purl = dep.get('purl', '')
+                dep_requirement = dep.get('requirement', '')
+                key = dep_purl + '@' + dep_requirement
+                licenses = dep.get('licenses', [])
+                if dep_purl and licenses:
+                    license_map[key] = licenses
+
+        # Inject licenses into each component version
+        for result in results:
+            for component in result.get('components', []):
+                purl = component.get('purl', '')
+                for version_entry in component.get('versions', []):
+                    version = version_entry.get('version', '')
+                    versioned_purl = f'{purl}@{version}'
+                    version_entry['licenses'] = license_map.get(versioned_purl, [])
+
     def scan(self) -> Optional[Dict]:
         """
         Scan the provided directory using the folder hashing algorithm.
@@ -218,30 +278,34 @@ def _format_cyclonedx_output(self) -> str:  # noqa: PLR0911
             if not best_match_component.get('versions'):
                 self.base.print_stderr('ERROR: No versions found for best match component')
                 return ''
-
             best_match_version = best_match_component['versions'][0]
             purl = best_match_component['purl']
+            version = best_match_version['version']
+            licenses = best_match_version.get('licenses', [])
 
-            get_dependencies_json_request = {
-                'files': [
+            # Build scan_results from already-decorated HFH data
+            scan_results = {
+                f'{best_match_component["name"]}:{version}': [
                     {
-                        'file': f'{best_match_component["name"]}:{best_match_version["version"]}',
-                        'purls': [{'purl': purl, 'requirement': best_match_version['version']}],
+                        'id': 'dependency',
+                        'dependencies': [
+                            {
+                                'purl': purl,
+                                'component': best_match_component.get('name', ''),
+                                'version': version,
+                                'licenses': licenses,
+                            }
+                        ],
                     }
                 ]
             }
 
             get_vulnerabilities_json_request = {
-                'components': [{'purl': purl, 'requirement': best_match_version['version']}],
+                'components': [{'purl': purl, 'requirement': version}],
             }
-
-            decorated_scan_results = self.scanner.client.get_dependencies(get_dependencies_json_request)
             vulnerabilities = self.scanner.client.get_vulnerabilities_json(get_vulnerabilities_json_request)
 
             cdx = CycloneDx(self.base.debug)
-            scan_results = {}
-            for f in decorated_scan_results['files']:
-                scan_results[f['file']] = [f]
             success, cdx_output = cdx.produce_from_json(scan_results)
             if not success:
                 error_msg = 'ERROR: Failed to produce CycloneDX output'
@@ -253,7 +317,7 @@ def _format_cyclonedx_output(self) -> str:  # noqa: PLR0911
 
             return json.dumps(cdx_output, indent=2)
         except Exception as e:
-            self.base.print_stderr(f'ERROR: Failed to get license information: {e}')
+            self.base.print_stderr(f'ERROR: Failed to produce CycloneDX output: {e}')
             return None
 
     def _format_spdxlite_output(self) -> str:
@@ -414,6 +478,7 @@ def _build_snippet_entry(
         """
         purl = component.get('purl', '')
         version = best_version.get('version', '')
+        licenses = best_version.get('licenses', [])
 
         url = purl2url.get_repo_url(purl) if purl else ''
         return {
@@ -431,7 +496,7 @@ def _build_snippet_entry(
             'source_hash': file_hash,
             'url_hash': '',
             'release_date': '',
-            'licenses': [],
+            'licenses': licenses,
             'lines': 'all',
             'oss_lines': 'all',
             'status': 'pending',