feat(policies): add support for license source filtering in copyleft inspection

Author: isasmendiagus

CHANGELOG.md

@@ -6,6 +6,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+
+### Added
+- Added `--license-sources` (`-ls`) option to copyleft inspection
+  - Filter which license sources to check (component_declared, license_file, file_header, file_spdx_tag, scancode)
+  - Supports both `-ls source1 source2` and `-ls source1 -ls source2` syntax
+
+### Changed
+- Copyleft inspection now defaults to component-level licenses only (component_declared, license_file)
+  - Reduces noise from file-level license detections (file_header, scancode)
+  - Use `-ls` to override and check specific sources
+
 ### Fixed
 - Fixed terminal cursor disappearing after aborting scan with Ctrl+C
 

src/scanoss/cli.py

@@ -55,6 +55,7 @@
 from .components import Components
 from .constants import (
     DEFAULT_API_TIMEOUT,
+    DEFAULT_COPYLEFT_LICENSE_SOURCES,
     DEFAULT_HFH_DEPTH,
     DEFAULT_HFH_MIN_ACCEPTED_SCORE,
     DEFAULT_HFH_RANK_THRESHOLD,
@@ -64,6 +65,7 @@
     DEFAULT_TIMEOUT,
     MIN_TIMEOUT,
     PYTHON_MAJOR_VERSION,
+    VALID_LICENSE_SOURCES,
 )
 from .csvoutput import CsvOutput
 from .cyclonedx import CycloneDx
@@ -699,6 +701,19 @@ def setup_args() -> None:  # noqa: PLR0912, PLR0915
         p.add_argument('--exclude', help='Licenses to exclude from analysis (comma-separated list)')
         p.add_argument('--explicit', help='Use only these specific licenses for analysis (comma-separated list)')
 
+    # License source filtering
+    # NOTE: Python <3.13 shows choices for each option form (noisy), Python 3.13+ shows once (clean)
+    # See: https://github.com/python/cpython/commit/c4a2e8a2c5188c3288d57b80852e92c83f46f6f3
+    for p in [p_inspect_raw_copyleft, p_inspect_legacy_copyleft]:
+        p.add_argument(
+            '-ls', '--license-sources',
+            action='extend',
+            nargs='+',
+            choices=VALID_LICENSE_SOURCES,
+            help=f'Specify which license sources to check for copyleft violations. Each license object in scan results '
+                 f'has a source field indicating its origin. Default: {", ".join(DEFAULT_COPYLEFT_LICENSE_SOURCES)}',
+        )
+
     # Common options for (legacy) copyleft and undeclared component inspection
     for p in [p_inspect_raw_copyleft, p_inspect_raw_undeclared, p_inspect_legacy_copyleft, p_inspect_legacy_undeclared]:
         p.add_argument('-i', '--input', nargs='?', help='Path to scan results file to analyse')
@@ -1752,6 +1767,7 @@ def inspect_copyleft(parser, args):
             include=args.include,  # Additional licenses to check
             exclude=args.exclude,  # Licenses to ignore
             explicit=args.explicit,  # Explicit license list
+            license_sources=args.license_sources,  # License sources to check (list)
         )
         # Execute inspection and exit with appropriate status code
         status, _ = i_copyleft.run()

src/scanoss/constants.py

@@ -17,3 +17,6 @@
 DEFAULT_HFH_DEPTH = 1
 DEFAULT_HFH_RECURSIVE_THRESHOLD = 0.8
 DEFAULT_HFH_MIN_ACCEPTED_SCORE = 0.15
+
+VALID_LICENSE_SOURCES = ['component_declared', 'license_file', 'file_header', 'file_spdx_tag', 'scancode']
+DEFAULT_COPYLEFT_LICENSE_SOURCES = ['component_declared', 'license_file']

src/scanoss/inspection/policy_check/scanoss/copyleft.py

@@ -26,6 +26,8 @@
 from dataclasses import dataclass
 from typing import Dict, List
 
+from scanoss.constants import DEFAULT_COPYLEFT_LICENSE_SOURCES
+
 from ...policy_check.policy_check import PolicyCheck, PolicyOutput, PolicyStatus
 from ...utils.markdown_utils import generate_jira_table, generate_table
 from ...utils.scan_result_processor import ScanResultProcessor
@@ -63,6 +65,7 @@ def __init__( # noqa: PLR0913
         include: str = None,
         exclude: str = None,
         explicit: str = None,
+        license_sources: list = None,
     ):
         """
         Initialise the Copyleft class.
@@ -77,6 +80,7 @@ def __init__( # noqa: PLR0913
         :param include: Licenses to include in the analysis
         :param exclude: Licenses to exclude from the analysis
         :param explicit: Explicitly defined licenses
+        :param license_sources: List of license sources to check
         """
         super().__init__(
             debug, trace, quiet, format_type, status, name='Copyleft Policy', output=output
@@ -85,14 +89,16 @@ def __init__( # noqa: PLR0913
         self.filepath = filepath
         self.output = output
         self.status = status
+        self.license_sources = license_sources or DEFAULT_COPYLEFT_LICENSE_SOURCES
         self.results_processor = ScanResultProcessor(
             self.debug,
             self.trace,
             self.quiet,
             self.filepath,
             include,
             exclude,
-            explicit)
+            explicit,
+            self.license_sources)
 
     def _json(self, components: list[Component]) -> PolicyOutput:
         """

src/scanoss/inspection/utils/scan_result_processor.py

@@ -71,11 +71,13 @@ def __init__( # noqa: PLR0913
         include: str = None,
         exclude: str = None,
         explicit: str = None,
+        license_sources: list = None,
     ):
         super().__init__(debug, trace, quiet)
         self.result_file_path = result_file_path
         self.license_util = LicenseUtil()
         self.license_util.init(include, exclude, explicit)
+        self.license_sources = license_sources
         self.results = self._load_input_file()
 
     def get_results(self) -> Dict[str, Any]:
@@ -162,9 +164,11 @@ def _append_license_to_component(self,
             self.print_debug(f'WARNING: Results missing licenses. Skipping: {new_component}')
             return
 
-        licenses_order_by_source_priority = self._get_licenses_order_by_source_priority(new_component['licenses'])
+        # Select licenses based on configuration (filtering or priority mode)
+        selected_licenses = self._select_licenses(new_component['licenses'])
+
         # Process licenses for this component
-        for license_item in licenses_order_by_source_priority:
+        for license_item in selected_licenses:
             if license_item.get('name'):
                 spdxid = license_item['name']
                 source = license_item.get('source')
@@ -309,19 +313,26 @@ def convert_components_to_list(self, components: dict):
                 component['licenses'] = []
         return results_list
 
-    def _get_licenses_order_by_source_priority(self,licenses_data):
+    def _select_licenses(self, licenses_data):
         """
-        Select licenses based on source priority:
-        1. component_declared (highest priority)
-        2. license_file
-        3. file_header
-        4. scancode (lowest priority)
+        Select licenses based on configuration.
+
+        Two modes:
+        - Filtering mode: If license_sources specified, filter to those sources
+        - Priority mode: Otherwise, use original priority-based selection
 
-        If any high-priority source is found, return only licenses from that source.
-        If none found, return all licenses.
+        Args:
+            licenses_data: List of license dictionaries
 
-        Returns: list with ordered licenses by source.
+        Returns:
+            Filtered list of licenses based on configuration
         """
+        # Filtering mode, when license_sources is explicitly provided
+        if self.license_sources:
+            sources_to_include = set(self.license_sources) | {'unknown'}
+            return [lic for lic in licenses_data
+                    if lic.get('source') in sources_to_include or lic.get('source') is None]
+
         # Define priority order (highest to lowest)
         priority_sources = ['component_declared', 'license_file', 'file_header', 'scancode']