License text provider plugins

[mnonnenmacher]

A draft for license text providers, created for early feedback. The plan is to convert the existing logic into separate providers that are queried in the order defined by the user, so two more will be added:

• ScanCode license text provider, to provider license texts from a local ScanCode installation.
• A provider for a directory containing custom license texts.
  I would also like to add on that downloads license texts on demand from https://scancode-licensedb.aboutcode.org.

@sschuberth I just discovered #9620, so should this API be renamed to LicenseDataProvider already and the metadata model and functions could be added later?

TODO:

• Take new API into use
• Remove old API
• Generate plugin docs
• Write docs for license fact providers
• Fix failing tests.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.40%. Comparing base (d47c9ac) to head (2326dbf).
⚠️ Report is 12 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #10479      +/-   ##
============================================
+ Coverage     57.38%   57.40%   +0.01%     
- Complexity     1673     1674       +1     
============================================
  Files           346      346              
  Lines         12759    12763       +4     
  Branches       1209     1209              
============================================
+ Hits           7322     7326       +4     
  Misses         4972     4972              
  Partials        465      465              

Flag	Coverage Δ
funTest-docker	71.11% <ø> (ø)
funTest-non-docker	33.01% <0.00%> (-0.01%)	⬇️
test-ubuntu-24.04	41.92% <100.00%> (+0.02%)	⬆️
test-windows-2025	41.90% <100.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sschuberth]

@sschuberth I just discovered #9620, so should this API be renamed to LicenseDataProvider already and the metadata model and functions could be added later?

If we agree that it should be the same interface / plugin type that returns more license (meta)data later (and not a different interface / plugin type), then I believe it would be good to signal that intention by already now generalizing the interface and class names to LicenseDataProvider or e.g. LicenseMetadataProvider.

As a side note, my old license-classification-interface branch contains a separate LicenseClassifications interface that could later be merged into the interface defined here (again, if we decide that texts and classifications should be provided by the same plugin type).

[sschuberth]

Also interesting in this context: A new API for OSI Approved Licenses.

[mnonnenmacher]

The providers should now be on par with the currently used logic for reading license texts, but the integration is still missing. For ScanCode I have not copied the various fallbacks because I wasn't sure if they are still required.

[sschuberth]

For ScanCode I have not copied the various fallbacks because I wasn't sure if they are still required.

I believe we anyway should simplify the logic, and instead of looking in the various locations depending on how ScanCode was installed, we should use the scancode-license-data tool. A provider for it could call the tool once at runtime / initialization, and then serve the license texts from the location scancode-license-data was instructed to copy them to.

[mnonnenmacher]

@sschuberth Some tests are still failing but you could already make another review if you want.

[mnonnenmacher]

@sschuberth In 8b19f27 I have changed the old license text provider to ignore the "+" in SPDX licenses. I have not done this in the new implementation which makes the OpossumReporterFunTest fail because:

• For some reason it includes ALL SPDX license texts in the output file.
• While the content of the license text resources with and without "+" seems to be identical, it is formatted differently (for example, compare LGPL-3.0 and LGPL-3.0+).

The reason for the commit was to fix #5004, however, in the meantime we have added license text resources for the licenses with "+" (I didn't check when). What's your opinion, should I update the expected results for the Opossum reporter or revert the SPDX provider to the previous behavior and ignore the "+"? Another option is to keep the current implementation and ignore the "+" licenses only in the Opossum Reporter when creating the frequentLicenses list, this would be less tedious than updating the expected output, but maybe that would break something in Opossum.

It's also weird that the formatting of the license texts for the "+" licenses is different to that of the according licenses without "+".

[sschuberth]

which makes the OpossumReporterFunTest fail because:

* For some reason it includes ALL SPDX license texts in the output file.

This has bothered me in the past in the context of other changes as well.

• it is formatted differently (for example, compare LGPL-3.0 and LGPL-3.0+).

This formatting difference seems to come from the ScanCode license DB (compare lgpl-3.0.html to lgpl-3.0-plus.html), not from the SPDX list (compare LGPL-3.0-only.txt to LGPL-3.0-or-later.txt), as historically the former had better formatting than the latter. Maybe it's time by now to really only use SPDX license texts in our resources. Or not use any resources / bundled license texts at all anymore, and least not in the core, but exclusively move this data to license fact provider plugins.

What's your opinion, should I update the expected results for the Opossum reporter or revert the SPDX provider to the previous behavior and ignore the "+"?

I'd not ignore the "+" anymore; after all, the license texts for these variants could be different. But I believe we should always fall back to the non-"+" text if there is no dedicated "+" text. The question is whether e should leave this for each provider to implement, or guarantee this fallback somehow via the API.

So regarding OpossumReporterFunTest, I'd either update the expected results, or even reduce the test case to at least not test any "+" variants, or maybe even trim it down more to only check a few selected license texts.

[mnonnenmacher]

which makes the OpossumReporterFunTest fail because:

* For some reason it includes ALL SPDX license texts in the output file.

This has bothered me in the past in the context of other changes as well.

• it is formatted differently (for example, compare LGPL-3.0 and LGPL-3.0+).

This formatting difference seems to come from the ScanCode license DB (compare lgpl-3.0.html to lgpl-3.0-plus.html), not from the SPDX list (compare LGPL-3.0-only.txt to LGPL-3.0-or-later.txt), as historically the former had better formatting than the latter. Maybe it's time by now to really only use SPDX license texts in our resources. Or not use any resources / bundled license texts at all anymore, and least not in the core, but exclusively move this data to license fact provider plugins.

What's your opinion, should I update the expected results for the Opossum reporter or revert the SPDX provider to the previous behavior and ignore the "+"?

I'd not ignore the "+" anymore; after all, the license texts for these variants could be different. But I believe we should always fall back to the non-"+" text if there is no dedicated "+" text. The question is whether e should leave this for each provider to implement, or guarantee this fallback somehow via the API.

So regarding OpossumReporterFunTest, I'd either update the expected results, or even reduce the test case to at least not test any "+" variants, or maybe even trim it down more to only check a few selected license texts.

I have updated the expected results because that was the easiest solution.

[sschuberth]

Just a remark, nothing to be solved for this PR already: As the "SPDX" license fact provider uses resources that preferably are taken from ScanCode's LicenseDB, see

ort/utils/spdx/build.gradle.kts

Lines 110 to 111 in ebf94a6

	// Prefer the texts from ScanCode as these have better formatting than those from SPDX.
	val providers = sequenceOf(ScanCodeLicenseTextProvider(), SpdxLicenseListDataProvider())

this now creates a bit of a weird situation of the "SPDX" provider mostly returning "ScanCode" licenses. I'd like to clean that up after the merge of this PR so that the "SPDX" provider really only provides SPDX license texts, and then eventually switch the order of precedence here. That would also simplify the build system code, which currently has its own SpdxLicenseTextProvider interface:

ort/utils/spdx/build.gradle.kts

Lines 72 to 74 in ebf94a6

	fun interface SpdxLicenseTextProvider {
	fun getLicenseUrl(info: LicenseInfo): URI?
	}

[mnonnenmacher]

So is the argument that the formatting of the ScanCode license texts is better not valid anymore?

[sschuberth]

It's hard to tell precisely without investing more time. Sometimes it's still better, sometimes just different (maybe with SPDX even being a bit nicer, depending on taste), but probably never clearly worse.

Anyway, that's not the right question to ask anymore, IMO. We can still prefer ScanCode over SPDX license text, but that should not be done at the level of creating these (SPDX!) resources, but on the new LicenseFactProvider level.