oss-review-toolkit · MarcelBochtler · Aug 26, 2021 · Aug 24, 2021 · Aug 24, 2021 · Aug 24, 2021
diff --git a/cli/src/main/kotlin/commands/EvaluatorCommand.kt b/cli/src/main/kotlin/commands/EvaluatorCommand.kt
@@ -66,6 +66,7 @@ import org.ossreviewtoolkit.model.licenses.LicenseInfoResolver
 import org.ossreviewtoolkit.model.licenses.orEmpty
 import org.ossreviewtoolkit.model.readValue
 import org.ossreviewtoolkit.model.readValueOrDefault
+import org.ossreviewtoolkit.model.utils.SimplePackageConfigurationProvider
 import org.ossreviewtoolkit.model.utils.mergeLabels
 import org.ossreviewtoolkit.utils.ORT_COPYRIGHT_GARBAGE_FILENAME
 import org.ossreviewtoolkit.utils.ORT_LICENSE_CLASSIFICATIONS_FILENAME
@@ -262,7 +263,12 @@ class EvaluatorCommand : CliktCommand(name = "evaluate", help = "Evaluate ORT re
             ortResultInput = ortResultInput.replacePackageCurations(curations)
         }
 
-        val packageConfigurationProvider = packageConfigurationOption.createProvider()
+        val repositoryPackageConfigurations = ortResultInput.repository.config.packageConfigurations
+        val optionPackageConfigurations = packageConfigurationOption.createProvider().getPackageConfigurations()
+
+        val packageConfigurationProvider = SimplePackageConfigurationProvider(
+            optionPackageConfigurations + repositoryPackageConfigurations
+        )
         val copyrightGarbage = copyrightGarbageFile.takeIf { it.isFile }?.readValue<CopyrightGarbage>().orEmpty()
 
         val config = globalOptionsForSubcommands.config

diff --git a/docs/config-file-ort-yml.md b/docs/config-file-ort-yml.md
@@ -128,8 +128,8 @@ scopes defined in the examples below match the scopes in your project.
 ### When to Use Curations
 
 License finding curations should be used when you want to correct the licenses detected in the source code of the
-project. To define path excludes on a global level for third-party packages, please use the
-[package configurations](config-file-package-configuration-yml.md).
+project. To define curations on global level for third-party packages, please use 
+[curations](config-file-curations-yml.md) or [package configurations](config-file-package-configuration-yml.md).
 
 ### Curating Project License Findings
 
@@ -153,6 +153,22 @@ curations:
     concluded_license: "Apache-2.0"
  ```
 
+For findings in third-party dependencies package-configurations can be used to replace findings:
+```yaml
+configurations:
+  package_configurations:
+  - id: 'Maven:com.example:package:1.2.3'
+    source_artifact_url: "https://repo.maven.apache.org/maven2/com/example/package/1.2.3/package-1.2.3-sources.jar"
+    license_finding_curations:
+    - path: "path/to/problematic/file.java"
+      start_lines: 22
+      line_count: 1
+      detected_license: "GPL-2.0-only"
+      reason: "CODE"
+      comment: "The scanner matches a variable named `gpl`."
+      concluded_license: "Apache-2.0"
+```
+
 For details of the specification, see 
 [LicenseFindingCuration.kt](../model/src/main/kotlin/config/LicenseFindingCuration.kt).
 The list of available options for `reason` are defined in

diff --git a/model/src/main/kotlin/config/RepositoryConfiguration.kt b/model/src/main/kotlin/config/RepositoryConfiguration.kt
@@ -47,6 +47,12 @@ data class RepositoryConfiguration(
     @JsonInclude(value = JsonInclude.Include.CUSTOM, valueFilter = CurationsFilter::class)
     val curations: Curations = Curations(),
 
+    /**
+     * Defines configurations for this repository.
+     */
+    @JsonInclude(value = JsonInclude.Include.NON_EMPTY)
+    val packageConfigurations: List<PackageConfiguration> = emptyList(),
+
     /**
      * Defines license choices within this repository.
      */

diff --git a/model/src/main/kotlin/utils/PackageConfigurationProvider.kt b/model/src/main/kotlin/utils/PackageConfigurationProvider.kt
@@ -27,6 +27,11 @@ import org.ossreviewtoolkit.model.config.PackageConfiguration
  * A provider for [PackageConfiguration]s.
  */
 interface PackageConfigurationProvider {
+    /**
+     * Return all [PackageConfiguration]s of this provider.
+     */
+    fun getPackageConfigurations(): List<PackageConfiguration>
+
     /**
      * Return the first matching [PackageConfiguration] for the given [packageId] and [provenance] if any.
      */

diff --git a/model/src/main/kotlin/utils/SimplePackageConfigurationProvider.kt b/model/src/main/kotlin/utils/SimplePackageConfigurationProvider.kt
@@ -79,6 +79,8 @@ class SimplePackageConfigurationProvider(
         configurationsById = configurations.groupByTo(HashMap()) { it.id }
     }
 
+    override fun getPackageConfigurations() = configurationsById.values.flatten()
+
     override fun getPackageConfiguration(packageId: Identifier, provenance: Provenance): PackageConfiguration? =
         configurationsById[packageId]?.filter { it.matches(packageId, provenance) }?.let {
             require(it.size <= 1) { "There must be at most one package configuration per Id and provenance." }

diff --git a/model/src/test/kotlin/config/RepositoryConfigurationTest.kt b/model/src/test/kotlin/config/RepositoryConfigurationTest.kt
@@ -90,6 +90,24 @@ class RepositoryConfigurationTest : WordSpec({
                   - id: "vulnerability id"
                     reason: "INEFFECTIVE_VULNERABILITY"
                     comment: "vulnerability comment"
+                package_configurations:
+                - id: "Maven:com.example:package:1.2.3"
+                  source_artifact_url: "https://repo.maven.apache.org/com/example/package/package-1.2.3-sources.jar"
+                  license_finding_curations:
+                  - path: "com/example/common/example/ExampleClass.java"
+                    start_lines: 41
+                    line_count: 1
+                    detected_license: "GPL-2.0-only"
+                    reason: "INCORRECT"
+                    comment: "False-positive license finding."
+                    concluded_license: "NONE"
+                  - path: "com/example/common/second/Example.java"
+                    start_lines: 35
+                    line_count: 1
+                    detected_license: "GPL-2.0-only"
+                    reason: "INCORRECT"
+                    comment: "False-positive by ScanCode."
+                    concluded_license: "NONE"
                 license_choices:
                   repository_license_choices:
                   - given: Apache-2.0 or GPL-2.0-only
@@ -144,6 +162,13 @@ class RepositoryConfigurationTest : WordSpec({
                 comment shouldBe "vulnerability comment"
             }
 
+            val packageConfigurations = repositoryConfiguration.packageConfigurations
+            packageConfigurations should haveSize(1)
+            with(packageConfigurations.first()) {
+                licenseFindingCurations should haveSize(2)
+                id shouldBe Identifier("Maven:com.example:package:1.2.3")
+            }
+
             val repositoryLicenseChoices = repositoryConfiguration.licenseChoices.repositoryLicenseChoices
             repositoryLicenseChoices should haveSize(1)
             with(repositoryLicenseChoices.first()) {