Support parsing license information in Maven projects via parent poms

[coheigea]

I noticed that Syft does not report a license for a Maven project if the license is contained in the parent pom instead. This is a pretty common thing in a lot of open-source projects, to have a single parent pom.xml which defines commons things (including license information), and then each module in the project inherits this pom.

For example, here are two examples of projects Syft does not detect the license, even though it's defined in both cases in the parent pom:

• https://repo1.maven.org/maven2/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.pom
• https://repo1.maven.org/maven2/org/slf4j/slf4j-api/1.7.32/slf4j-api-1.7.32.pom

Please consider this feature request, because as it stands Syft does not report any license for quite a few Maven projects due to this issue. Maybe it could be configurable via a feature flag (detect transitive licenses). To prevent infinite loops or denial of service type of attacks, it should only walk up to 2/3 parent poms.

Note that using mvn help:effective-pom -f httpclient-4.5.13.pom does show the correct license

[coheigea]

Closing this as both PRs applied