fix(helper-cli): Fix two issues with listing licenses

The list licenses command may crash in case `sourceCodeDir` is not
provided in the following scenarios:

1. When the source artifact has been scanned for the given `packageId`
   andi `vcsProcessed` is empty, then `fetchScannedSources()` crashes
   withing `Downloader.download()`, because the downloader throws when
   it attempts to download from VCS.
2. When the ORT file does not contain any scan result for the given
   package, then the downloader also throws.

Ensure that the downloader always attempts to download from the right
source code origin, to fix scenario #1. Furthermore, return early in
case there is no scan result for the given package to fix scenario #2.
Recently a similar crash has been fixed by [1] also by returning
earlier. So, move the early return from [1] to an even earlier position.

[1] 5a21932

Signed-off-by: Frank Viernau <[email protected]>

helper-cli/src/main/kotlin/commands/ListLicensesCommand.kt

@@ -33,8 +33,10 @@ import com.github.ajalt.clikt.parameters.types.file
 import java.io.File
 import java.lang.IllegalArgumentException
 
-import org.ossreviewtoolkit.helper.utils.fetchScannedSources
+import org.ossreviewtoolkit.helper.utils.downloadSources
 import org.ossreviewtoolkit.helper.utils.getLicenseFindingsById
+import org.ossreviewtoolkit.helper.utils.getScannedProvenance
+import org.ossreviewtoolkit.helper.utils.getSourceCodeOrigin
 import org.ossreviewtoolkit.helper.utils.getViolatedRulesByLicense
 import org.ossreviewtoolkit.helper.utils.readOrtResult
 import org.ossreviewtoolkit.helper.utils.replaceConfig
@@ -146,9 +148,14 @@ internal class ListLicensesCommand : CliktCommand(
             throw UsageError("Could not find the package for the given id '${packageId.toCoordinates()}'.")
         }
 
+        val sourceCodeOrigin = ortResult.getScannedProvenance(packageId).getSourceCodeOrigin() ?: run {
+            println("No scan results available.")
+            return
+        }
+
         val sourcesDir = sourceCodeDir ?: run {
             println("Downloading sources for package '${packageId.toCoordinates()}'...")
-            ortResult.fetchScannedSources(packageId)
+            ortResult.downloadSources(packageId, sourceCodeOrigin)
         }
 
         val packageConfigurationProvider = DirPackageConfigurationProvider(packageConfigurationsDir)
@@ -190,11 +197,6 @@ internal class ListLicensesCommand : CliktCommand(
                 }
             }
 
-        if (findingsByProvenance.isEmpty()) {
-            println("No scan results available.")
-            return
-        }
-
         buildString {
             appendLine("  scan results:")
             findingsByProvenance.keys.forEachIndexed { i, provenance ->

helper-cli/src/main/kotlin/utils/Extensions.kt

@@ -34,7 +34,6 @@ import org.jetbrains.exposed.sql.transactions.TransactionManager
 
 import org.ossreviewtoolkit.analyzer.PackageManagerFactory
 import org.ossreviewtoolkit.downloader.Downloader
-import org.ossreviewtoolkit.model.ArtifactProvenance
 import org.ossreviewtoolkit.model.Identifier
 import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.KnownProvenance
@@ -43,13 +42,13 @@ import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.PackageCuration
 import org.ossreviewtoolkit.model.Project
 import org.ossreviewtoolkit.model.Provenance
-import org.ossreviewtoolkit.model.RemoteArtifact
 import org.ossreviewtoolkit.model.Repository
+import org.ossreviewtoolkit.model.RepositoryProvenance
 import org.ossreviewtoolkit.model.RuleViolation
 import org.ossreviewtoolkit.model.ScanResult
 import org.ossreviewtoolkit.model.Severity
+import org.ossreviewtoolkit.model.SourceCodeOrigin
 import org.ossreviewtoolkit.model.TextLocation
-import org.ossreviewtoolkit.model.VcsInfo
 import org.ossreviewtoolkit.model.config.CopyrightGarbage
 import org.ossreviewtoolkit.model.config.Curations
 import org.ossreviewtoolkit.model.config.DownloaderConfiguration
@@ -88,21 +87,14 @@ internal fun List<ScopeExclude>.minimize(projectScopes: List<String>): List<Scop
 }
 
 /**
- * Fetches the sources from either the VCS or source artifact for the package denoted by
- * the given [id] depending on whether a scan result is present with matching [Provenance].
+ * Download the sources corresponding to the given [Identifier][id] and [source code origin][sourceCodeOrigin].
  */
-internal fun OrtResult.fetchScannedSources(id: Identifier): File {
+internal fun OrtResult.downloadSources(id: Identifier, sourceCodeOrigin: SourceCodeOrigin): File {
     val tempDir = createTempDirectory(Paths.get("."), ORTH_NAME).toFile()
+    val pkg = getPackageOrProject(id)!!.metadata
+    val config = DownloaderConfiguration(sourceCodeOrigins = listOf(sourceCodeOrigin))
 
-    val pkg = getPackageOrProject(id)!!.metadata.let {
-        if (getScannedProvenance(id) is ArtifactProvenance) {
-            it.copy(vcs = VcsInfo.EMPTY, vcsProcessed = VcsInfo.EMPTY)
-        } else {
-            it.copy(sourceArtifact = RemoteArtifact.EMPTY)
-        }
-    }
-
-    Downloader(DownloaderConfiguration()).download(pkg, tempDir)
+    Downloader(config).download(pkg, tempDir)
 
     return tempDir
 }
@@ -232,6 +224,16 @@ internal fun OrtResult.getViolatedRulesByLicense(
 internal fun OrtResult.getScannedProvenance(id: Identifier): KnownProvenance? =
     getScanResultsForId(id).firstNotNullOfOrNull { it.provenance as? KnownProvenance }
 
+/**
+ * Return the [SourceCodeOrigin] for this provenance.
+ */
+internal fun KnownProvenance?.getSourceCodeOrigin(): SourceCodeOrigin? =
+    when {
+        this == null -> null
+        this is RepositoryProvenance -> SourceCodeOrigin.VCS
+        else -> SourceCodeOrigin.ARTIFACT
+    }
+
 /**
  * Return all issues from scan results. Issues for excludes [Project]s or [Package]s are not returned if and only if
  * the given [omitExcluded] is true.