Skip to content

Fix SPDX import error handling, enforce LICENSEDB_ONLY mode, and introduce LicenseDB-based resolution#3933

Open
sharad-31 wants to merge 7 commits intoeclipse-sw360:mainfrom
sharad-31:my-licensedb-work
Open

Fix SPDX import error handling, enforce LICENSEDB_ONLY mode, and introduce LicenseDB-based resolution#3933
sharad-31 wants to merge 7 commits intoeclipse-sw360:mainfrom
sharad-31:my-licensedb-work

Conversation

@sharad-31
Copy link

@sharad-31 sharad-31 commented Mar 17, 2026

Summary

This pull request introduces a LicenseDB-driven license resolution mechanism and enforces strict LICENSEDB_ONLY mode restrictions across license and obligation operations.

In addition, it improves the robustness of the SPDX license import workflow and includes configuration and development environment enhancements to support local development and testing.

Changes

1. LicenseDB-Based License Resolution & Policy Enforcement

  • Introduced centralized license resolution via LicenseResolutionService

  • Added LicenseSourcePolicy and LicenseSourceMode to control behavior using:
    sw360.license.source.mode

  • Supported modes:

    • LEGACY – allows fallback and manual operations
    • LICENSEDB_ONLY – enforces strict LicenseDB usage

  • Refactored license creation:

    • Disabled direct/manual license creation
    • Delegated to controlled authoritative source methods

  • Updated integration points to ensure:

    • All missing licenses are resolved via LicenseDB
    • Consistent behavior across services

2. Enforcement of LICENSEDB_ONLY Restrictions

  • Added validation guards to prevent:

    • Manual license creation
    • SPDX / OSADL license imports
    • Obligation creation

  • Introduced helper methods:

    • throwIfManualLicenseOperationsDisabled(...)
    • throwIfManualObligationCreationDisabled()

  • Applied in:

    • LicenseService.java
    • Sw360LicenseService.java
    • Sw360ObligationService.java

  • Behavior:

    • LICENSEDB_ONLY → throws AccessDeniedException
    • LEGACY → allows operations

3. LicenseDB Integration Abstraction

  • Added LicenseDbClient interface:
    Optional fetchLicenseById(String licenseId);

  • Added NoopLicenseDbClient:

    • Default fallback implementation
    • Returns empty result if LicenseDB is not configured

4. SPDX License Import Improvements

Updated:
licenses-core/src/main/java/org/eclipse/sw360/licenses/db/LicenseDatabaseHandler.java

Improvements:

  • Introduced RequestStatus tracking
  • Captured result of:
    addOrOverwriteLicenses(...)
  • Added null checks to prevent silent failures
  • Conditional mismatch reporting (only on SUCCESS)
  • Updated response:
    .setRequestStatus(requestStatus)

Result:

  • Prevents false success responses
  • Improves error visibility

5. Security Enhancements

  • Added:
    @PreAuthorize("hasAuthority('WRITE')")

  • Applied to:
    POST /licenses/upload

  • Ensures only authorized users can upload licenses

6. Configuration & Development Improvements

  • Docker:
    Added docker-compose.override.yml with:
    COUCHDB_USER=sw360
    COUCHDB_PASSWORD=sw360fossie

  • Keycloak:
    Added orgmapping.properties for organization mapping tests

  • Maven:
    Updated keycloak/pom.xml to avoid unnecessary plugin execution in IDE

  • VSCode:
    Added .vscode/settings.json for Java configuration

7. Code Cleanup

  • Removed unused imports from:
    backend/attachments/src/test/java/org/eclipse/sw360/attachments/TestAttachmentClient.java

  • Minor formatting improvements

Behavior Changes

LICENSEDB_ONLY Mode:

  • Manual license creation → blocked
  • SPDX / OSADL import → blocked
  • Obligation creation → blocked
  • License resolution → LicenseDB only

LEGACY Mode:

  • Manual operations → allowed
  • Missing licenses → fallback creation allowed

SPDX Import:

  • Accurate SUCCESS / FAILURE status
  • Mismatch reporting only on success

Issue

Related to: #3781

This PR contributes to making LicenseDB the single source of truth for license and obligation data in SW360.

Suggest Reviewer

@GMishx
@deo002

How To Test

  1. Set:
    sw360.license.source.mode=LICENSEDB_ONLY

    Verify:

    • SPDX import fails
    • Obligation creation fails
    • Missing license throws exception

  2. Set:
    sw360.license.source.mode=LEGACY

    Verify:

    • Manual operations work
    • Missing licenses are created

  3. Trigger SPDX import:

    • SUCCESS on valid import
    • FAILURE on error
    • Mismatch only on success

  4. Run locally:
    docker-compose up

    Verify CouchDB works

  5. Run Keycloak tests:
    Validate org mapping behavior

Checklist

Must:

  • All related issues are referenced in commit messages and in PR
  • Code builds successfully
  • Changes are tested locally
  • No regression introduced

@GMishx GMishx added needs code review needs general test This is general testing, meaning that there is no org specific issue to check for labels Mar 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GMishx GMishx Awaiting requested review from GMishx GMishx is a code owner

@KoukiHama KoukiHama Awaiting requested review from KoukiHama KoukiHama is a code owner

@arunazhakesan arunazhakesan Awaiting requested review from arunazhakesan arunazhakesan is a code owner

@ag4ums ag4ums Awaiting requested review from ag4ums ag4ums is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

needs code review needs general test This is general testing, meaning that there is no org specific issue to check for

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sharad-31 @GMishx