Enhancement/attribution template (#241)

* Add modified SQL files for FOSS_SBOM.xlsx and new Attributions.html * Modify Attributions format * Add release note * Fix condition * Fix where condition * Resolve merge conflict * Squashed commit of the following: commit a38bf81 Author: Oliver Hecker <[email protected]> Date: Fri Mar 15 12:15:30 2024 +0100 Avoid path traversal threats (#239) * Introduce and make use of IOHelper.securePath() to further harden against path traversal threats. * Limit DirectUrlWebContentProvider to only handle http and https URLs. * Update release notes * Rename method from securePath to secureFilePath to better clarify scope/purpose * fixed typo in comment Co-authored-by: chrimih <[email protected]> --------- Co-authored-by: chrimih <[email protected]> commit 35cf767 Author: Oliver Hecker <[email protected]> Date: Mon Mar 11 12:11:02 2024 +0100 Set version to SNAPSHOT of next minor release (1.21.0-SNAPSHOT) commit c7200dc Author: Oliver Hecker <[email protected]> Date: Mon Mar 11 11:49:27 2024 +0100 Version 1.20.0 commit fed2f9d Author: Oliver Hecker <[email protected]> Date: Mon Mar 11 11:15:45 2024 +0100 Implementation of YarnModernReader to support Yarn 2 and above (#238) # Conflicts: # documentation/master-solicitor.asciidoc * Add release note (after merge conflict resolved) * remove ossHomepage from result as it is not needed and might result in duplicates (if e.g. data is read in by different reader types where only one fills the attribute, like gradle2/maven) --------- Co-authored-by: ohecker <[email protected]>
devonfw · Mar 22, 2024 · 372ee37 · 372ee37
1 parent a38bf81
commit 372ee37
Show file tree

Hide file tree

Showing 7 changed files with 43 additions and 23 deletions.
diff --git a/...rces/com/devonfw/tools/solicitor/sql/applicationcomponents_with_noncommerciallicenses.sql b/...rces/com/devonfw/tools/solicitor/sql/applicationcomponents_with_noncommerciallicenses.sql
@@ -5,9 +5,13 @@ select
 	GROUP_CONCAT(DISTINCT ac."version" ORDER BY "version" DESC SEPARATOR ', ') as "version" , 
 	ac."groupId", 
 	ac."artifactId",
-	ac."ossHomepage",
+	ac."packageUrl",
 	ac."sourceRepoUrl",
-	ac."copyrights"
+	ac."sourceDownloadUrl",
+	ac."packageDownloadUrl",
+	ac."copyrights",
+	GROUP_CONCAT(DISTINCT CASE WHEN l."effectiveNormalizedLicenseType" = 'IGNORE' THEN CONCAT(l."normalizedLicense", ' (NA)') WHEN l."effectiveNormalizedLicense" != l."normalizedLicense" THEN CONCAT(l."normalizedLicense", ' (redistributed under ', l."effectiveNormalizedLicense", ')') ELSE  l."normalizedLicense" END ORDER BY "normalizedLicense" DESC SEPARATOR ', ') as "licenses" 
+
 from 
 	APPLICATION a, 
 	APPLICATIONCOMPONENT ac, 
@@ -19,10 +23,10 @@ where
 group by 
 	"groupId", 
 	"artifactId",
-	"ossHomepage",
+	"packageUrl",
 	"sourceRepoUrl",
+	"sourceDownloadUrl",
+	"packageDownloadUrl",
 	"copyrights"
 order by 
-	"groupId", 
-	"artifactId", 
-	"version"
+	"packageUrl"
diff --git a/...fw/tools/solicitor/sql/applicationcomponents_with_noncommerciallicenses_with_licenses.sql b/...fw/tools/solicitor/sql/applicationcomponents_with_noncommerciallicenses_with_licenses.sql
@@ -5,8 +5,8 @@ select
 	GROUP_CONCAT(DISTINCT ac."version" ORDER BY "version" DESC SEPARATOR ', ') as "version" ,
 	ac."groupId",
 	ac."artifactId",
-	ac."ossHomepage",
-  ac."sourceRepoUrl",
+	ac."packageUrl",
+	ac."sourceRepoUrl",
 	ac."copyrights",
 	l."normalizedLicense",
 	l."effectiveNormalizedLicense"
@@ -21,7 +21,7 @@ where
 group by
 	"groupId",
 	"artifactId",
-	"ossHomepage",
+	"packageUrl",
 	"sourceRepoUrl",
 	"copyrights",
 	"normalizedLicense",

diff --git a/core/src/main/resources/com/devonfw/tools/solicitor/sql/noticefiles.sql b/core/src/main/resources/com/devonfw/tools/solicitor/sql/noticefiles.sql
@@ -3,6 +3,7 @@
 -- returns all distinct notice file texts
 select distinct 
 	GROUP_CONCAT(DISTINCT CONCAT( ac."artifactId", ' (', ac."version", ')' ) ORDER BY "artifactId" ASC, "version" ASC SEPARATOR ', ') as "artifact",
+	GROUP_CONCAT(DISTINCT ac."packageUrl" ORDER BY "packageUrl" ASC SEPARATOR ', ') as "packageUrl",
 	ARRAY_AGG(DISTINCT ac."noticeFileContent" ORDER BY "noticeFileContent" DESC)[1] as "noticeFileContent", 
 	UCASE(REGEXP_REPLACE(ac."noticeFileContent",'\s','')) as "unifiedNoticeFileContent"
 from

diff --git a/core/src/main/resources/com/devonfw/tools/solicitor/sql/ossapplicationcomponents.sql b/core/src/main/resources/com/devonfw/tools/solicitor/sql/ossapplicationcomponents.sql
@@ -7,7 +7,8 @@ select
 	ac."artifactId",
 	ac."packageUrl",
 	ac."copyrights",
-	l."effectiveNormalizedLicense", 
+	l."effectiveNormalizedLicense",
+	l."effectiveNormalizedLicenseType",	
 	l."effectiveNormalizedLicenseUrl", 
 	l."effectiveNormalizedLicenseContent",
 	UCASE(REGEXP_REPLACE(l."effectiveNormalizedLicenseContent",'\s','')) as "unifiedEffectiveNormalizedLicenseContent"
@@ -18,13 +19,14 @@ from
 where
 	a.ID_APPLICATION = ac.PARENT_APPLICATIONCOMPONENT AND
 	ac.ID_APPLICATIONCOMPONENT = l.PARENT_NORMALIZEDLICENSE AND 
-	l."effectiveNormalizedLicenseType" like 'OSS-%' 
+	(l."effectiveNormalizedLicenseType" LIKE 'OSS-%' OR l."effectiveNormalizedLicenseType" = 'SCANCODE')
 group by 
 	"groupId", 
 	"artifactId", 
 	"packageUrl",
 	"copyrights",
 	"effectiveNormalizedLicense", 
+	"effectiveNormalizedLicenseType",
 	"effectiveNormalizedLicenseUrl", 
 	"effectiveNormalizedLicenseContent",
 	"unifiedEffectiveNormalizedLicenseContent" 

diff --git a/.../resources/com/devonfw/tools/solicitor/sql/uniquelicenses_with_application_components.sql b/.../resources/com/devonfw/tools/solicitor/sql/uniquelicenses_with_application_components.sql
@@ -4,6 +4,7 @@
 select distinct 
 	GROUP_CONCAT(DISTINCT l."normalizedLicense" ORDER BY "normalizedLicense" ASC SEPARATOR ', ') as "normalizedLicense",
 	GROUP_CONCAT(DISTINCT CONCAT( ac."artifactId", ' (', ac."version", ')' ) ORDER BY "artifactId" ASC, "version" ASC SEPARATOR ', ') as "artifact",
+	GROUP_CONCAT(DISTINCT ac."packageUrl" ORDER BY "packageUrl" ASC SEPARATOR ', ') as "packageUrl",
 	ARRAY_AGG(DISTINCT l."normalizedLicenseContent" ORDER BY "normalizedLicenseContent" DESC)[1] as "normalizedLicenseContent", 
 	UCASE(REGEXP_REPLACE(l."normalizedLicenseContent",'\s','')) as "unifiedNormalizedLicenseContent"
 from

diff --git a/core/src/main/resources/com/devonfw/tools/solicitor/templates/Attributions.vm b/core/src/main/resources/com/devonfw/tools/solicitor/templates/Attributions.vm
@@ -47,9 +47,9 @@ This document has 3 sections:
 
 <h2 id="components">Component / License overview</h2>
 
-The following table lists all third party Open Source Components that may be contained in this product. Besides name and version the table lists:
+The following table lists all third party Open Source Components that may be contained in this product. Besides the <a href="https://github.com/package-url/purl-spec">package URL</a> (identifier of the componente) the table lists:
 <ul>
-<li>the URL of the Source-Code-Repository for downloading the source code</li>
+<li>the URL of the Source-Code-Repository or Source-Code archive for downloading the source code</li>
 <li>the names of the OSS licenses attached to the component; in case that the component is dual-/multilicensed <i>(NA)</i> indicates that the component is herein distributed under an alternative license and the license does not apply in the context of this distribution</li>
 <li>copyright information given in the third party component; in case that no direct copyright notices are given then author/contributor information might be given if available</li>
 </ul>
@@ -58,8 +58,7 @@ The following table lists all third party Open Source Components that may be con
 <table>
 	## head row
   <tr>
-		<th>Name</th>
-		<th>Version</th>
+		<th>Package URL</th>
 		<th>Source Code Repository</th>
 		<th>Licenses</th>
 		<th>Copyrights (or Authors/Contributors)</th>
@@ -72,13 +71,21 @@ The following table lists all third party Open Source Components that may be con
 		#set( $aid  = $license.artifactId )
 		#set( $gid  = $license.groupId )
 		#set( $ver  = $license.version )
+		#set( $purl  = $license.packageUrl )
 		#set( $apps = $license.APPS )
-		<td>$license.artifactId</td> ## application component name
-		<td>$license.version</td> ## application component version
-		<td>$license.sourceRepoUrl</td>
+##		<td>$license.artifactId</td> ## application component name
+##		<td>$license.version</td> ## application component version
+		<td>$license.packageUrl</td> ## application component package Url
+		<td>
+		#if( "$!license.sourceRepoUrl" != "" )
+			$license.sourceRepoUrl
+		#else
+			$!license.sourceDownloadUrl
+		#end
+		</td>
 		<td class="licenses">
 		#foreach($ac in $NONCOMMERCIALCOMPONENTS_LICENSES )
-			#if( $aid == $ac.artifactId && $gid == $ac.groupId && $ver == $ac.version )
+			#if( $purl == $ac.packageUrl )
 ##				#set( $key = "${gid}${aid}${ac.normalizedLicense}" ) ## this is not necessarily sufficient as uinque id because version is missing
 ##				<a href="#$esc.hash($key)">$ac.normalizedLicense</a> ## linking does not work currently
 				$ac.normalizedLicense
@@ -89,7 +96,11 @@ The following table lists all third party Open Source Components that may be con
 			#end
 		#end
 		</td>
-		<td class="copyrights">$esc.newLinesAsBreaks($esc.html($license.copyrights))</td> ## copyrights
+		#if( "$!license.copyrights" != "")
+			<td class="copyrights">$esc.newLinesAsBreaks($esc.html($license.copyrights))</td> ## copyrights
+		#else
+			<td class="copyrights"></td> ## no copyrights given
+		#end
 		</tr>
 	#end
 
@@ -130,7 +141,7 @@ options.
 <p>
 <b>Defined/referenced license(s):</b> $ul.normalizedLicense
 <br/>
-<b>Applicable component(s):</b> $ul.artifact
+<b>Applicable component(s):</b> $ul.packageUrl
 </p>
 #end
 <hr/>
@@ -142,7 +153,7 @@ The following additional attribution notices are given within NOTICE files and a
 #foreach($nf in $NOTICEFILES)
 <hr/>
 <p>
-<b>Component(s)</b>: $nf.artifact
+<b>Component(s)</b>: $nf.packageUrl
 </p>
 <p>
 	#if ($nf.noticeFileContent)

diff --git a/documentation/master-solicitor.asciidoc b/documentation/master-solicitor.asciidoc
@@ -1700,6 +1700,7 @@ Spring beans implementing this interface will be called at certain points in the
 == Release Notes
 Changes in 1.21.0::
 * https://github.com/devonfw/solicitor/pull/239: Improving some internal components to reduce risk of path traversal attacks in case that these components are (re)used in some webservice implementation.
+* https://github.com/devonfw/solicitor/issues/240: Improve Attributions.html to use packageUrl. Fixed bug where license texts for components with license type 'SCANCODE' were not printed.
 
 Changes in 1.20.0::
 * https://github.com/devonfw/solicitor/issues/232: Set a standard for ordering LicenseNameMapping rules. Rules with an 'or-later' suffix are put before '-only' rules.
@@ -1873,4 +1874,4 @@ Changes in 1.0.7::
 * https://github.com/devonfw/solicitor/issues/56: Enable continuing analysis in
 multiapplication projects even is some license files are unavailable.
 * Described simplified usage of license-maven-plugin without need to change pom.xml. (Documentation only)
-* Ensure consistent sorting even in case that multiple "Ignored" licenses exist for a component
+* Ensure consistent sorting even in case that multiple "Ignored" licenses exist for a component