feat(reporter): Improve handling of unmapped licenses in SPDX reporter

mnonnenmacher · mnonnenmacher · commit 30e362c023bb · 2023-03-20T11:39:43.000+01:00
If a package has unmapped declared licenses, always append `NOASSERTION`
to the declared license SPDX expression. Previously, `NOASSERTION` was
only added if the SPDX expression was null or blank. This did hide the
fact that there are unmapped licenses if the expression was not empty.

Signed-off-by: Martin Nonnenmacher &lt;martin.nonnenmacher@bosch.io&gt;
diff --git a/reporter/src/funTest/assets/spdx-document-reporter-expected-output.spdx.json b/reporter/src/funTest/assets/spdx-document-reporter-expected-output.spdx.json
@@ -96,7 +96,7 @@
     "filesAnalyzed" : false,
     "homepage" : "NONE",
     "licenseConcluded" : "NOASSERTION",
-    "licenseDeclared" : "MIT",
+    "licenseDeclared" : "MIT AND NOASSERTION",
     "name" : "fourth-package",
     "summary" : "A package with partially mapped declared license.",
     "versionInfo" : "0.0.1"
diff --git a/reporter/src/funTest/assets/spdx-document-reporter-expected-output.spdx.yml b/reporter/src/funTest/assets/spdx-document-reporter-expected-output.spdx.yml
@@ -108,7 +108,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "MIT"
+  licenseDeclared: "MIT AND NOASSERTION"
   name: "fourth-package"
   summary: "A package with partially mapped declared license."
   versionInfo: "0.0.1"
diff --git a/reporter/src/main/kotlin/reporters/spdx/SpdxDocumentModelMapper.kt b/reporter/src/main/kotlin/reporters/spdx/SpdxDocumentModelMapper.kt
@@ -49,6 +49,7 @@ import org.ossreviewtoolkit.utils.spdx.model.SpdxExtractedLicenseInfo
 import org.ossreviewtoolkit.utils.spdx.model.SpdxPackage
 import org.ossreviewtoolkit.utils.spdx.model.SpdxPackageVerificationCode
 import org.ossreviewtoolkit.utils.spdx.model.SpdxRelationship
+import org.ossreviewtoolkit.utils.spdx.toSpdx
 import org.ossreviewtoolkit.utils.spdx.toSpdxId
 
 /**
@@ -242,11 +243,18 @@ private fun Package.toSpdxPackage(licenseInfoResolver: LicenseInfoResolver, isPr
 
 private fun ProcessedDeclaredLicense.toSpdxDeclaredLicense(): String =
     when {
-        unmapped.isEmpty() -> spdxExpression.nullOrBlankToSpdxNoassertionOrNone()
-        spdxExpression == null -> SpdxConstants.NOASSERTION
-        spdxExpression.toString().isBlank() -> SpdxConstants.NOASSERTION
-        spdxExpression.toString() == SpdxConstants.NONE -> SpdxConstants.NOASSERTION
-        else -> spdxExpression.toString()
+        // If there are unmapped licenses, represent this by adding NOASSERTION.
+        unmapped.isNotEmpty() -> {
+            spdxExpression?.let {
+                if (SpdxConstants.NOASSERTION !in it.licenses()) {
+                    (it and SpdxConstants.NOASSERTION.toSpdx()).toString()
+                } else {
+                    it.toString()
+                }
+            } ?: SpdxConstants.NOASSERTION
+        }
+
+        else -> spdxExpression.nullOrBlankToSpdxNoassertionOrNone()
     }
 
 private fun String?.nullOrBlankToSpdxNone(): String = if (isNullOrBlank()) SpdxConstants.NONE else this
