anchore · spiffcs · Dec 8, 2023 · Dec 8, 2023
diff --git a/grant/evalutation/license_evalutation.go b/grant/evalutation/license_evalutation.go
@@ -5,7 +5,74 @@ import (
 )
 
 func NewLicenseEvaluations(ec EvaluationConfig, c grant.Case) LicenseEvaluations {
-	panic("not implemented")
+	evaluations := make([]LicenseEvaluation, 0)
+	// TODO: probably want to use some concurrency here
+	for _, sb := range c.SBOMS {
+		for pkg := range sb.Artifacts.Packages.Enumerate() {
+			grantPkg := convertSyftPackage(pkg)
+			// since we use syft as a library to generate the sbom we need to convert its packages/licenses to grant types
+			if len(grantPkg.Licenses) == 0 {
+				evaluations = append(evaluations, LicenseEvaluation{
+					License: grant.License{},
+					Package: grantPkg,
+					Policy:  ec.Policy,
+					Reason:  []Reason{ReasonNoLicenseFound},
+					Pass:    true,
+				})
+				continue
+			}
+
+			for _, l := range grantPkg.Licenses {
+				if !l.IsSPDX() {
+					// TODO: check if the config wants us to check for non-SPDX licenses
+				}
+				if ec.Policy.IsDenied(l) {
+					evaluations = append(evaluations, LicenseEvaluation{
+						License: l,
+						Package: grantPkg,
+						Policy:  ec.Policy,
+						Reason:  []Reason{ReasonLicenseDenied},
+						Pass:    false,
+					})
+					continue
+				}
+				// otherwise, the license is allowed
+				evaluations = append(evaluations, LicenseEvaluation{
+					License: l,
+					Package: grantPkg,
+					Policy:  ec.Policy,
+					Reason:  []Reason{ReasonLicenseAllowed},
+					Pass:    true,
+				})
+			}
+		}
+	}
+
+	for _, l := range c.Licenses {
+		if !l.IsSPDX() {
+			// TODO: check if the config wants us to check for non-SPDX licenses
+		}
+		if ec.Policy.IsDenied(l) {
+			evaluations = append(evaluations, LicenseEvaluation{
+				License: l,
+				Package: nil,
+				Policy:  ec.Policy,
+				Reason:  []Reason{ReasonLicenseDenied},
+				Pass:    false,
+			})
+			continue
+		}
+		// otherwise, the license is allowed
+		evaluations = append(evaluations, LicenseEvaluation{
+			License: l,
+			Package: nil,
+			Policy:  ec.Policy,
+			Reason:  []Reason{ReasonLicenseAllowed},
+			Pass:    true,
+		})
+	}
+
+	return evaluations
 }
 
 type LicenseEvaluations []LicenseEvaluation
@@ -18,10 +85,10 @@ type LicenseEvaluation struct {
 	Package *grant.Package // any artifact license is evaluated with
 
 	// what's used to evaluate...
-	Policy *grant.Policy // what the determination was made against
+	Policy grant.Policy // what the determination was made against
 
 	// the output of an evaluation...
-	Reason []string // reasons that the evaluation value the way it is
+	Reason []Reason // reasons that the evaluation value the way it is
 	Pass   bool     // The final evaluation
 }
 

diff --git a/grant/evalutation/license_evalutation_config.go b/grant/evalutation/license_evalutation_config.go
@@ -5,7 +5,7 @@ import "github.com/anchore/grant/grant"
 type EvaluationConfig struct {
 	// Policy is the policy to evaluate against
 	// if non is supplied, the default policy is used (grant.DefaultPolicy())
-	Policy *grant.Policy
+	Policy grant.Policy
 	// CheckNonSPDX is true if non-SPDX licenses should be checked
 	CheckNonSPDX bool
 }
diff --git a/grant/evalutation/reason.go b/grant/evalutation/reason.go
@@ -0,0 +1,9 @@
+package evalutation
+
+type Reason string
+
+var (
+	ReasonNoLicenseFound Reason = "no license found"
+	ReasonLicenseDenied  Reason = "license denied by policy"
+	ReasonLicenseAllowed Reason = "license allowed by policy"
+)
diff --git a/grant/evalutation/sbom.go b/grant/evalutation/sbom.go
diff --git a/grant/evalutation/syft.go b/grant/evalutation/syft.go
@@ -9,14 +9,14 @@ import (
 	syftPkg "github.com/anchore/syft/syft/pkg"
 )
 
-func convertSyftPackage(p syftPkg.Package) grant.Package {
+func convertSyftPackage(p syftPkg.Package) *grant.Package {
 	locations := p.Locations.ToSlice()
 	packageLocations := make([]string, 0)
 	for _, location := range locations {
 		packageLocations = append(packageLocations, location.RealPath)
 	}
 
-	return grant.Package{
+	return &grant.Package{
 		Name:      p.Name,
 		Version:   p.Version,
 		Licenses:  convertSyftLicenses(p.Licenses),

diff --git a/grant/policy.go b/grant/policy.go
@@ -27,7 +27,7 @@ func DefaultPolicy() *Policy {
 	}
 }
 
-// NewPolicy builds a policy from lists of allow and deny glob patterns
+// NewPolicy builds a policy from lists of allow, deny, and ignore glob patterns
 // It lower cases all patterns to make matching against the spdx license set case-insensitive
 func NewPolicy(allowLicenses, denyLicenses, ignoreLicenses []string) (p *Policy, err error) {
 	if len(allowLicenses) == 0 && len(denyLicenses) == 0 {
@@ -138,7 +138,7 @@ func (p Policy) IsDenied(license License) bool {
 	return false
 }
 
-// IsAllowed is a convenience function for library consumers
+// IsAllowed is a convenience function for library usage of IsDenied negation
 func (p Policy) IsAllowed(license License) bool {
 	return !p.IsDenied(license)
 }