adding tests for deep license scanning

pkg/fanal/analyzer/language/dotnet/nuget/nuget.go

@@ -135,8 +135,6 @@ func (a *nugetLibraryAnalyzer) PostAnalyze(_ context.Context, input analyzer.Pos
 				return xerrors.Errorf("license find error: %w", err)
 			}
 
-			a.logger.Info("Number of root path licenses found: ", log.Any("Count", len(rootPathLicenses)))
-
 			for _, license := range rootPathLicenses {
 				looseLicense := types.LicenseFile{
 					Type:     license.Type,

pkg/fanal/analyzer/language/nodejs/npm/npm_test.go

@@ -2,7 +2,9 @@ package npm
 
 import (
 	"context"
+	"encoding/json"
 	"os"
+	"slices"
 	"sort"
 	"testing"
 
@@ -288,3 +290,285 @@ func Test_nodePkgLibraryAnalyzer_Required(t *testing.T) {
 		})
 	}
 }
+
+func TestDeepLicenseScanning(t *testing.T) {
+	tests := []struct {
+		name string
+		dir  string
+		want *analyzer.AnalysisResult
+	}{
+		{
+			name: "deep-license-scan",
+			dir:  "testdata/deep-license-scan",
+			want: &analyzer.AnalysisResult{
+				Applications: []types.Application{
+					{
+						Type:     types.Npm,
+						FilePath: "package-lock.json",
+						Packages: types.Packages{
+							{
+								ID:      "[email protected]",
+								Name:    "babel-runtime",
+								Version: "6.26.0",
+								Licenses: []string{
+									"MIT",
+								},
+								ConcludedLicenses: []types.License{
+									{
+										Name:                "Apache-2.0",
+										Type:                "header",
+										IsDeclared:          false,
+										FilePath:            "node_modules/babel-runtime/node_modules/core-js/test2.go",
+										LicenseTextChecksum: "bdc80008ee57ce3815ac3d8be33e4bad3508d5729dd8cbbbe6c799245ee77edd",
+										CopyrightText:       "",
+									},
+									{
+										Name:                "BSD-3-Clause",
+										Type:                "license-file",
+										IsDeclared:          false,
+										FilePath:            "node_modules/babel-runtime/LICENSE",
+										LicenseTextChecksum: "385bce4f8bf50fb890c351674d4eac08fae03de787f2b37332f6184245706df6",
+										CopyrightText:       "",
+									},
+								},
+
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+								DependsOn: []string{
+									"[email protected]",
+									"[email protected]",
+								},
+								Locations: []types.Location{
+									{
+										StartLine: 11,
+										EndLine:   19,
+									},
+								},
+								ExternalReferences: []types.ExternalRef{
+									{
+										Type: types.RefOther,
+										URL:  "https://registry.npmjs.org/babel-runtime/-/babel-runtime-6.26.0.tgz",
+									},
+								},
+							},
+							{
+								ID:           "[email protected]",
+								Name:         "core-js",
+								Version:      "2.6.12",
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+								Locations: []types.Location{
+									{
+										StartLine: 20,
+										EndLine:   26,
+									},
+									{
+										StartLine: 59,
+										EndLine:   63,
+									},
+								},
+								ExternalReferences: []types.ExternalRef{
+									{
+										Type: types.RefOther,
+										URL:  "https://registry.npmjs.org/core-js/-/core-js-2.6.12.tgz",
+									},
+									{
+										Type: types.RefOther,
+										URL:  "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.11.1.tgz",
+									},
+								},
+							},
+							{
+								ID:      "[email protected]",
+								Name:    "jiti",
+								Version: "1.21.0",
+								Licenses: []string{
+									"MIT",
+								},
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+								DependsOn: []string{
+									"[email protected]",
+								},
+								Locations: []types.Location{
+									{
+										StartLine: 32,
+										EndLine:   39,
+									},
+								},
+								ExternalReferences: []types.ExternalRef{
+									{
+										Type: types.RefOther,
+										URL:  "https://registry.npmjs.org/babel-runtime/-/babel-runtime-6.26.0.tgz",
+									},
+								},
+							},
+							{
+								ID:           "[email protected]",
+								Name:         "jujutsu",
+								Version:      "1.20.20",
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+								DependsOn: []string{
+									"[email protected]",
+								},
+								Locations: []types.Location{
+									{
+										StartLine: 45,
+										EndLine:   53,
+									},
+								},
+								ExternalReferences: []types.ExternalRef{
+									{
+										Type: types.RefOther,
+										URL:  "https://registry.npmjs.org/babel-runtime/-/babel-runtime-6.26.0.tgz",
+									},
+								},
+							},
+							{
+								ID:      "[email protected]",
+								Name:    "ninja",
+								Version: "6.26.0",
+								Licenses: []string{
+									"MIT",
+								},
+								ConcludedLicenses: []types.License{
+									{
+										Name:                "GPL-2.0",
+										Type:                "header",
+										IsDeclared:          false,
+										FilePath:            "node_modules/jiti/node_modules/ninja/LICENSE",
+										LicenseTextChecksum: "1d1291699fa1a23d6414a3a3994dcf8db6bacf6c5ab6624a7231b1543e6dfe27",
+										CopyrightText:       "",
+									},
+								},
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+								Locations: []types.Location{
+									{
+										StartLine: 40,
+										EndLine:   44,
+									},
+								},
+								ExternalReferences: []types.ExternalRef{
+									{
+										Type: types.RefOther,
+										URL:  "https://registry.npmjs.org/babel-runtime/-/babel-runtime-6.26.0.tgz",
+									},
+								},
+							},
+							{
+								ID:      "[email protected]",
+								Name:    "regenerator-runtime",
+								Version: "0.11.1",
+								Licenses: []string{
+									"MIT",
+									"MIT",
+								},
+								ConcludedLicenses: []types.License{
+									{
+										Name:                "BSD-3-Clause",
+										Type:                "license-file",
+										IsDeclared:          false,
+										FilePath:            "node_modules/babel-runtime/node_modules/regenerator-runtime/LICENSE",
+										LicenseTextChecksum: "385bce4f8bf50fb890c351674d4eac08fae03de787f2b37332f6184245706df6",
+										CopyrightText:       "",
+									},
+									{
+										Name:                "Apache-2.0",
+										Type:                "header",
+										IsDeclared:          false,
+										FilePath:            "node_modules/babel-runtime/node_modules/regenerator-runtime/test1.go",
+										LicenseTextChecksum: "3ecd2b1a881c13670817e5db77bcfeaa3b76e318ca96037301d6488ff5cd71d6",
+										CopyrightText:       "",
+									},
+									{
+										Name:                "BSD-3-Clause",
+										Type:                "license-file",
+										IsDeclared:          false,
+										FilePath:            "node_modules/babel-runtime/node_modules/regenerator-runtime/.git/LICENSE",
+										LicenseTextChecksum: "0497daad1a4b665867ffbc3c7e23a4d3bc9f40b8f0f18647c991353176606784",
+										CopyrightText:       "",
+									},
+								},
+								Indirect:     true,
+								Relationship: types.RelationshipIndirect,
+								Locations: []types.Location{
+									{
+										StartLine: 27,
+										EndLine:   31,
+									},
+									{
+										StartLine: 54,
+										EndLine:   58,
+									},
+								},
+								ExternalReferences: []types.ExternalRef{
+									{
+										Type: types.RefOther,
+										URL:  "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.11.1.tgz",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a, err := newNpmLibraryAnalyzer(analyzer.AnalyzerOptions{
+				LicenseScannerOption: analyzer.LicenseScannerOption{
+					Enabled:                   true,
+					Full:                      true,
+					LicenseScanWorkers:        5,
+					ClassifierConfidenceLevel: 0.75,
+				},
+			})
+			require.NoError(t, err)
+
+			got, err := a.PostAnalyze(context.Background(), analyzer.PostAnalysisInput{
+				FS: os.DirFS(tt.dir),
+			})
+			require.NoError(t, err)
+
+			if len(got.Applications) > 0 {
+				sort.Sort(got.Applications[0].Packages)
+			}
+
+			// sort the licenses
+			for _, app := range got.Applications {
+				packages := app.Packages
+				for _, pkg := range packages {
+					slices.Sort(pkg.Licenses)
+					sort.SliceStable(pkg.ConcludedLicenses, func(i, j int) bool {
+						return pkg.ConcludedLicenses[i].Name <= pkg.ConcludedLicenses[j].Name &&
+							pkg.ConcludedLicenses[i].FilePath < pkg.ConcludedLicenses[j].FilePath
+					})
+				}
+			}
+
+			for _, app := range tt.want.Applications {
+				packages := app.Packages
+				for _, pkg := range packages {
+					slices.Sort(pkg.Licenses)
+					sort.SliceStable(pkg.ConcludedLicenses, func(i, j int) bool {
+						return pkg.ConcludedLicenses[i].Name <= pkg.ConcludedLicenses[j].Name &&
+							pkg.ConcludedLicenses[i].FilePath < pkg.ConcludedLicenses[j].FilePath
+					})
+				}
+			}
+
+			// compared the serialized jsons
+			serializedGot, err := json.Marshal(got.Applications)
+			require.NoError(t, err)
+
+			serializedWant, err := json.Marshal(tt.want.Applications)
+			require.NoError(t, err)
+
+			assert.Equal(t, string(serializedWant), string(serializedGot))
+		})
+	}
+}

pkg/fanal/analyzer/language/nodejs/npm/testdata/deep-license-scan/LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+- Redistributions of source code must retain the above copyright
+  notice, this list of conditions and the following disclaimer.
+- Redistributions in binary form must reproduce the above
+  copyright notice, this list of conditions and the following disclaimer
+  in the documentation and/or other materials provided with the
+  distribution.
+- Neither the name of Google Inc. nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.