Package file name may be incorrect in SPDX output for d2d projects with ABOUT files

[pombredanne]

I see for instance this snippet in an SPDX output:

 "packages": [
    {
      "name": "apache-tomcat",
      "SPDXID": "SPDXRef-scancodeio-discoveredpackage-689de760-7611-4d26-8fa7-2dcfee8440ac",
      "downloadLocation": "https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.82/bin/apache-tomcat-9.0.82.tar.gz",
      "licenseConcluded": "Apache-2.0 AND bzip2-1.0.6 AND CDDL-1.0 AND CPL-1.0 AND EPL-1.0 AND LZMA-exception AND Zlib",
      "copyrightText": "Copyright 1999-2023 The Apache Software Foundation",
      "filesAnalyzed": false,
      "versionInfo": "9.0.82",
      "licenseDeclared": "Apache-2.0 AND bzip2-1.0.6 AND CDDL-1.0 AND CPL-1.0 AND EPL-1.0 AND LZMA-exception AND Zlib",
      "packageFileName": "*tomcat-9.0.82/*",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:generic/apache-tomcat@9.0.82"
        }
      ],

This came from a d2d pipeline with an ABOUT file with this:

about_resource:  "*tomcat-9.0.82/*"

https://spdx.github.io/spdx-spec/v2.3/package-information/#74-package-file-name-field

The field is optional, and makes not much sense at scale as a package can have one or more paths or files or archives with includes and excludes and the name of its compressed archive has usually little value or bearing on what we see on disk.

I think it would be better to exclude packageFileName entirely from the SPDX output as it is not well specified and not practically usable for actual real life cases.

[tdruez]

27480f5