Finder for licenses of package versions
Why are we doing this work
To perform License Scanning as described in &9400 (closed), we need to list the licenses for packages versions.
Implementation plan
- Create a finder that gets licenses of package versions.
- It queries the DB tables implemented in Update DB schema to store data imported from th... (#373163 - closed).
- It takes tuples of PURL type, package name, and package version.
- It returns the corresponding licenses.
Further details
The licenses finder can be directly fed with the output of the SBOM component fetchers implemented in #384536 (closed): it takes an array of struct, where each struct has a name
, version
, and purl_type
. It fetches the SPDX identifiers of the licenses for these package versions.
To leverage the table list partitioning on PURL type implemented in !104155 (merged), the finder should perform one SELECT query per PURL type. Queries would then look this:
SELECT ps.name, pvs.version, ls.spdx_identifier
FROM pm_packages ps
JOIN pm_package_versions pvs ON
pvs.purl_type = ps.purl_type AND pvs.pm_package_id = ps.id
JOIN pm_package_version_licenses pvls ON
pvls.purl_type = pvs.purl_type and pvls.pm_package_version_id = pvs.id
JOIN pm_licenses ls ON
pvls.pm_license_id = ls.id
WHERE ps.purl_type = 1 AND
(name, version) IN (('depA', 'v1'), ('depA', 'v2'))
See !104155 (merged)
Considering that a single project might depend on a large number of package versions, the finder might limit the number of rows returned by a SELECT query, and iterate.