feat(scanner): Adhere to Package.sourceCodeOrigins

Handle the new `sourceCodeOrigins` property, to make overriding the source code origins via a package curation take effect. Signed-off-by: Frank Viernau <frank_viernau@epam.com>
oss-review-toolkit · Mar 15, 2024 · 87f5d32 · 87f5d32
1 parent 829dad7
commit 87f5d32
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 11 deletions.
diff --git a/scanner/src/funTest/kotlin/provenance/DefaultPackageProvenanceResolverFunTest.kt b/scanner/src/funTest/kotlin/provenance/DefaultPackageProvenanceResolverFunTest.kt
@@ -22,7 +22,9 @@ package org.ossreviewtoolkit.scanner.provenance
 import io.kotest.assertions.throwables.shouldThrow
 import io.kotest.core.spec.Spec
 import io.kotest.core.spec.style.WordSpec
+import io.kotest.matchers.should
 import io.kotest.matchers.shouldBe
+import io.kotest.matchers.types.beInstanceOf
 
 import java.io.IOException
 
@@ -191,6 +193,32 @@ class DefaultPackageProvenanceResolverFunTest : WordSpec() {
                     ArtifactProvenance(pkg.sourceArtifact)
             }
         }
+
+        "source code origins from package" should {
+            "override the default" {
+                val pkg = Package.EMPTY.copy(
+                    sourceArtifact = RemoteArtifact(
+                        url = sourceArtifactUrl,
+                        hash = Hash.NONE
+                    ),
+                    vcsProcessed = VcsInfo(
+                        type = VcsType.GIT,
+                        url = repositoryUrl,
+                        revision = "ad0367b7b9920144a47b8d30cc0c84cea102b821"
+                    )
+                )
+
+                resolver.resolveProvenance(
+                    pkg.copy(sourceCodeOrigins = listOf(SourceCodeOrigin.VCS)),
+                    listOf(SourceCodeOrigin.ARTIFACT, SourceCodeOrigin.VCS)
+                ) should beInstanceOf<RepositoryProvenance>()
+
+                resolver.resolveProvenance(
+                    pkg.copy(sourceCodeOrigins = listOf(SourceCodeOrigin.ARTIFACT)),
+                    listOf(SourceCodeOrigin.VCS, SourceCodeOrigin.ARTIFACT)
+                ) should beInstanceOf<ArtifactProvenance>()
+            }
+        }
     }
 }
 

diff --git a/scanner/src/main/kotlin/provenance/PackageProvenanceResolver.kt b/scanner/src/main/kotlin/provenance/PackageProvenanceResolver.kt
@@ -47,11 +47,11 @@ import org.ossreviewtoolkit.utils.ort.showStackTrace
  */
 interface PackageProvenanceResolver {
     /**
-     * Resolve the [KnownProvenance] of [pkg] based on the provided [sourceCodeOriginPriority].
+     * Resolve the [KnownProvenance] of [pkg] based on the provided [defaultSourceCodeOriginsPriority].
      *
      * Throws an [IOException] if the provenance cannot be resolved.
      */
-    fun resolveProvenance(pkg: Package, sourceCodeOriginPriority: List<SourceCodeOrigin>): KnownProvenance
+    fun resolveProvenance(pkg: Package, defaultSourceCodeOriginsPriority: List<SourceCodeOrigin>): KnownProvenance
 }
 
 /**
@@ -62,15 +62,20 @@ class DefaultPackageProvenanceResolver(
     private val workingTreeCache: WorkingTreeCache
 ) : PackageProvenanceResolver {
     /**
-     * Resolve the [Provenance] of [pkg] based on the provided [sourceCodeOriginPriority]. For source artifacts it is
-     * verified that the [RemoteArtifact] does exist. For a VCS it is verified that the revision exists. If the revision
-     * provided by the [package][pkg] metadata does not exist or is missing, the function tries to guess the tag based
-     * on the name and version of the [package][pkg].
+     * Resolve the [Provenance] of [pkg] based on the provided [defaultSourceCodeOriginsPriority] which is used in case
+     * the [Package][pkg] does not specify the source code origins to be used. For source artifacts it is verified that
+     * the [RemoteArtifact] does exist. For a VCS it is verified that the revision exists. If the revision provided by
+     * the [package][pkg] metadata does not exist or is missing, the function tries to guess the tag based on the name
+     * and version of the [package][pkg].
      */
-    override fun resolveProvenance(pkg: Package, sourceCodeOriginPriority: List<SourceCodeOrigin>): KnownProvenance {
+    override fun resolveProvenance(
+        pkg: Package,
+        defaultSourceCodeOriginsPriority: List<SourceCodeOrigin>
+    ): KnownProvenance {
         val errors = mutableMapOf<SourceCodeOrigin, Throwable>()
+        val sourceCodeOrigins = pkg.sourceCodeOrigins ?: defaultSourceCodeOriginsPriority
 
-        sourceCodeOriginPriority.forEach { sourceCodeOrigin ->
+        sourceCodeOrigins.forEach { sourceCodeOrigin ->
             runCatching {
                 when (sourceCodeOrigin) {
                     SourceCodeOrigin.ARTIFACT -> {
@@ -98,7 +103,7 @@ class DefaultPackageProvenanceResolver(
         val message = buildString {
             append(
                 "Could not resolve provenance for package '${pkg.id.toCoordinates()}' for source code origins " +
-                    "$sourceCodeOriginPriority."
+                    "$defaultSourceCodeOriginsPriority."
             )
 
             errors.forEach { (origin, throwable) ->

diff --git a/scanner/src/test/kotlin/ScannerTest.kt b/scanner/src/test/kotlin/ScannerTest.kt
@@ -952,8 +952,11 @@ private class FakeProvenanceDownloader(val filename: String = "fake.txt") : Prov
  * validation.
  */
 private class FakePackageProvenanceResolver : PackageProvenanceResolver {
-    override fun resolveProvenance(pkg: Package, sourceCodeOriginPriority: List<SourceCodeOrigin>): KnownProvenance {
-        sourceCodeOriginPriority.forEach { sourceCodeOrigin ->
+    override fun resolveProvenance(
+        pkg: Package,
+        defaultSourceCodeOriginsPriority: List<SourceCodeOrigin>
+    ): KnownProvenance {
+        defaultSourceCodeOriginsPriority.forEach { sourceCodeOrigin ->
             when (sourceCodeOrigin) {
                 SourceCodeOrigin.ARTIFACT -> {
                     if (pkg.sourceArtifact != RemoteArtifact.EMPTY) {