add support for licenses not found on list

[deitch]

Fixes #1529

As discussed with @kzantow , if a license identifier is not found on the official list, rather than returning "" and false, it creates LicenseRef-<id> per the other licenses section of the spdx spec.

Also adds handling an empty identifier, and adds tests.

The approach may need some tweaking, but it seems a simple enough solution.

[kzantow]

Hey @deitch -- thanks for submitting this PR! I think this is half of what needs to happen -- the LicenseRef-<id> getting put in the appropriate license field. The other half is that we need to add these licenses with a matching LicenseRef-<id> to the Other Licenses section so there is something to refer to -- this would need to be added to this struct in the OtherLicenses field

[deitch]

I was kind of wondering about that. Thanks for the pointer to the right struct.

I saw that ID() is used by both spdx and cyclonedx, even though it is part of spdx. Do I need to find a parallel struct for CycloneDX?

[kzantow]

@deitch CycloneDX is easier -- we just need to include the name instead of ID. See the spec here, optionally including text if we have it

[deitch]

Ok, I think I got it, both for spdx and cyclonedx, but have a look. I updated tests so they handle the cases and pass, and I also ran some tests locally.

[kzantow]

Thanks @deitch -- I think this is pretty close, just a few items I've noted

[kzantow]

I think this may fix #933 as well.

@deitch it also looks like the TestEncodeDecodeEncodeCycleComparison is failing for CycloneDX, which means we need to add decoding for the licenses with name probably around here.

[kzantow]

@deitch it looks like the last hold-up is the CycloneDX decoding noted above ☝️ -- I could help with this, if you like

[deitch]

I assume it has something to do with this assuming that it should be l.License.ID, when it could be .ID or .Name.

Yeah, fixing that gets the tests passing locally. I will push it out and see if CI is happy.

[deitch]

That did it.

[kzantow]

Thanks much @deitch! This is a great addition!

[deitch]

Excellent. Thanks for helping get it in. I am going to try and tackle a different issue soon with gopkg licenses.

[deitch]

I will flag you on that issue, so I can try and submit for that as well.

[deitch]

This did help @kzantow but then exposed the inability to handle "OR", which appears in a number of places, as well as compound expressions with (a OR b) AND c. Submitting a PR soon to handle it.

[kzantow]

Right -- properly parsing complex license expressions is not something Syft is doing today, I think it's okay to just include these as LicenseRefs for now (it's better than excluding them)

[deitch]

But you wouldn't object to it doing so properly, would you? I am close to having a PR ready for it.