Finder for licenses of package versions

Why are we doing this work

To perform License Scanning as described in &9400 (closed), we need to list the licenses for packages versions.

Implementation plan

Create a finder that gets licenses of package versions.
- It queries the DB tables implemented in Update DB schema to store data imported from th... (#373163 - closed).
- It takes tuples of PURL type, package name, and package version.
- It returns the corresponding licenses.

Further details

The licenses finder can be directly fed with the output of the SBOM component fetchers implemented in #384536 (closed): it takes an array of struct, where each struct has a name, version, and purl_type. It fetches the SPDX identifiers of the licenses for these package versions.

To leverage the table list partitioning on PURL type implemented in !104155 (merged), the finder should perform one SELECT query per PURL type. Queries would then look this:

  SELECT ps.name, pvs.version, ls.spdx_identifier
  FROM pm_packages ps
  JOIN pm_package_versions pvs ON
    pvs.purl_type = ps.purl_type AND pvs.pm_package_id = ps.id
  JOIN pm_package_version_licenses pvls ON
    pvls.purl_type = pvs.purl_type and pvls.pm_package_version_id = pvs.id
  JOIN pm_licenses ls ON
    pvls.pm_license_id = ls.id
  WHERE ps.purl_type = 1 AND
    (name, version) IN (('depA', 'v1'), ('depA', 'v2'))

See !104155 (merged)

Considering that a single project might depend on a large number of package versions, the finder might limit the number of rows returned by a SELECT query, and iterate.

Edited Jan 05, 2023 by Fabien Catteau