Skip to content

Fix evaluator license violations with both license choices and path excludes #10873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Fix evaluator license violations with both license choices and path excludes #10873

wants to merge 3 commits into from

Conversation

Copilot
Copy link

@Copilot Copilot AI commented Sep 19, 2025
edited
Loading

The ORT evaluator was incorrectly reporting license violations when a package had multiple license findings with both license choices and path excludes configured. This was due to the wrong order of operations in the evaluator logic.

Problem

The evaluator's licenseRule function was processing licenses in this order:

  1. Filter by license view
  2. Apply license choices
  3. Check for exclusions (via isExcluded() matcher)

This is the reverse of how reporters handle the same scenario correctly.

Root Cause

Consider a package with:

  • Finding 1: MIT OR GPL-2.0-only in LICENSE (non-excluded)
  • Finding 2: GPL-2.0-only in excluded/some-file.txt (path excluded)
  • License choice: MIT OR GPL-2.0-only -> MIT

Before this fix: The evaluator would apply the choice first, then check exclusions, leading to GPL-2.0-only being considered for rule evaluation even though it should be filtered out by path excludes.

After this fix: The evaluator filters excluded licenses first, then applies choices, resulting in only MIT being evaluated - matching the reporter behavior.

Solution

Modified the licenseRule function in PackageRule.kt to call .filterExcluded() before .applyChoices():

resolvedLicenseInfo.filter(licenseView, filterSources = true)
    .filterExcluded() // Filter excluded licenses before applying choices
    .applyChoices(ruleSet.ortResult.getPackageLicenseChoices(pkg.metadata.id), licenseView)
    .applyChoices(ruleSet.ortResult.getRepositoryLicenseChoices(), licenseView)

This matches the working pattern in EvaluatedModelMapper.kt where reporters correctly do:

input.licenseInfoResolver.resolveLicenseInfo(pkg.id).filterExcluded().effectiveLicense(...)

Impact

  • Evaluator and reporters now have consistent behavior
  • Prevents false license violations when using both path excludes and license choices
  • No impact on existing functionality when only one mechanism is used
  • Maintains backward compatibility

Fixes #10867.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • repo.eclipse.org
    • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED --add-opens=java.base/java.time=ALL-UNNAMED -XX:MaxMetaspaceSize=1g -Xmx2g -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -cp /home/REDACTED/.gradle/wrapper/dists/gradle-9.1.0-bin/9agqghryom9wkf8r80qlhnts3/gradle-9.1.0/lib/gradle-daemon-main-9.1.0.jar -javaagent:/home/REDACTED/.gradle/wrapper/dists/gradle-9.1.0-bin/9agqghryom9wkf8r80qlhnts3/gradle-9.1.0/lib/agents/gradle-instrumentation-agent-9.1.0.jar org.gradle.launcher.daemon.bootstrap.GradleDaemon 9.1.0 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@Copilot Copilot AI changed the title [WIP] Evaluator: Incorrect license violations when both license choices and path excludes are configured Fix evaluator license violations with both license choices and path excludes Sep 19, 2025
@Copilot Copilot AI requested a review from sschuberth September 19, 2025 12:22
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 19, 2025
View reviewed changes
evaluator/src/main/kotlin/PackageRule.kt

/**
* A DSL function to configure a [LicenseRule] and add it to this rule.
*

Check warning

Code scanning / detekt

Detects trailing spaces Warning

Trailing space(s)
evaluator/src/main/kotlin/PackageRule.kt
* 2. Filter excluded licenses (due to path excludes) - this must happen before applying choices
* 3. Apply package-specific license choices
* 4. Apply repository-wide license choices
*

Check warning

Code scanning / detekt

Detects trailing spaces Warning

Trailing space(s)
evaluator/src/main/kotlin/PackageRule.kt
* 3. Apply package-specific license choices
* 4. Apply repository-wide license choices
*
* This order matches the behavior of reporters and ensures that excluded licenses are not

Check warning

Code scanning / detekt

Detects trailing spaces Warning

Trailing space(s)
@codecov Codecov
Copy link

codecov bot commented Sep 19, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.53%. Comparing base (0e9bc55) to head (54a21ba).

Additional details and impacted files 
@@            Coverage Diff            @@
##               main   #10873   +/-   ##
=========================================
  Coverage     57.53%   57.53%           
- Complexity     1698     1700    +2     
=========================================
  Files           346      346           
  Lines         12823    12823           
  Branches       1212     1212           
=========================================
  Hits           7378     7378           
  Misses         4978     4978           
  Partials        467      467
Flag Coverage Δ
funTest-docker 71.03% <ø> (ø)
funTest-non-docker 33.01% <ø> (+0.14%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sschuberth sschuberth Awaiting requested review from sschuberth

At least 1 approving review is required to merge this pull request.

Assignees

@sschuberth sschuberth

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Evaluator: Incorrect license violations when both license choices and path excludes are configured
2 participants
@Copilot @sschuberth