feat: add switch to add license text to BOM result

[CompartMSL]

fixes #256

[jkowalleck]

❌ Please add proper tests.

PS: this is already ongoing

[jkowalleck]

Based on the proposed implementation, the new switch --add-license-text contradicts the existing switch --package-lock-only.

The --package-lock-only (options.packageLockOnly) should have priority - meaning if options.packageLockOnly is true, then options.addLicenseText should be set to false regardless of the user's input. (see how options.packageLockOnly is handled in src/cli.ts)

@CompartMSL, how do you see this?

[CompartMSL]

Based on the proposed implementation, the new switch --add-license-text contradicts the existing switch --package-lock-only.

The --package-lock-only (options.packageLockOnly) should have priority - meaning if options.packageLockOnly is true, then options.addLicenseText should be set to false regardless of the user's input. (see how options.packageLockOnly is handled in src/cli.ts)

@CompartMSL, how do you see this?

You are right.
After the implementation of this change I recognized, after the run of the tests, that the chosen test approach for --add-license-texts is disturbed by this change. The files in tests_data\sbom_demo-results\add-license-text\ shows not the wanted effect anymore.
Currently, I see the need to search another test approach and have no idea where to start.

[jkowalleck]

@CompartMSL re #427 (comment)

Ignore the tests for a while, and just take care of the needed implementation details.
Maybe just revert the tests you added, for a while. I will assist setting up a test, as soon as the desired feature is shaped properly.

[jkowalleck]

Please change the list/implementation to be case-insensitive.
I'd suggest having only lowercased entries in the list.
I'd suggest using a scandir-like behavior where all files are lowercased before they are compared against the list of known files.

[CompartMSL]

I chose the other way first to get a list of all files and match case-insensitive. Maybe there is later an idea to handle multiple files

[jkowalleck]

converted PR to "draft", since the implementation is not final, yet.

[jkowalleck]

❓ where does this come from?

[jkowalleck]

Why do this after everything is set?
I'd suggest putting the code in the existing BomBuilder.makeComponent()

[jkowalleck]

@CompartMSL I find the proposed current implementation disturbing, as it does not stick to chosen design principles and architecture of this project.

my suggestion: write the needed function and usage in the builders.ts file.

• Add the option whether to add the license texts to existing BomBuilderOptions and act based on it in the exiting BomBuilder. This option could be called shouldAddLicenseTexts.
• Create a new class there, that has a method that returns or updates needed structures based on a given directory path.
• inject your own builder into BomBuilder - like BomBuilder.componentBuilder.
  It could be called LicensBuilder and be available internally as this.licensBuilder.
• hook into the existing BomBuilder.makeComponent() and call needed methods like

  const component = this.componentBuilder.makeComponent(data, type)
  // ...
  if (!this.packageLockOnly && this.shouldAddLicenseTexts && data.path) {
    this.licensBuilder.addTexts(component.licenses, data.path)
  }
  // ...
  return component

[jkowalleck]

license text detection is not completely solved.

Therefore, the result shall be an evidence, rather than n license attachment.

[cuhland]

I want to support this feature and created a branch which took these commits here, rebased them on top of current main and did soome refactoring regarding the code structure.
@jkowalleck Is there a chance that this feature can be part of the next release?

[jkowalleck]

I want to support this feature and created a branch which took these commits here, rebased them on top of current main and did soome refactoring regarding the code structure. @jkowalleck Is there a chance that this feature can be part of the next release?

I do not see a good to merge the current state of this very PR.

If you have a maintained version of it, feel free to open a competing pull-request.

Since this feature is nothing new, there is no need to reinvent the wheel. It is expected to simply copy existing art.
Please be aware of existing art:

• Implementation for webpack:
  • ([BUG] not detecting license files LICENSE.BSD cyclonedx-webpack-plugin#1337 via fix: Properly detect license evidences like LICEN[CS]E.{Apache,BSD,GPL,MIT} cyclonedx-webpack-plugin#1339)
  • (also find *.license files as evidence cyclonedx-webpack-plugin#1321 via feat: license evidence *.licen[cs]e cyclonedx-webpack-plugin#1322)
  • (FEAT: Option to add license text to BOM output cyclonedx-webpack-plugin#676 via feat: collect evidences for license cyclonedx-webpack-plugin#1309, fix: pollish evidence gathering cyclonedx-webpack-plugin#1312)
• Implementation for yarn:
  • Extraction of license text from files. cyclonedx-node-yarn#193

just in case: Please keep the scope of your PR, don't mix unrelated changes into a feature-PR

[jkowalleck]

Superseded by #1243