Allow to curate declared licenses

[nnobelis]

Currently, the declared license of a package cannot be curated. I assume this is a decision made in the past because it's pretty dangerous and there was no requirement to support it.

We have however a use case for such curation.

A project of our organization is using Bazel and Conan. The same packages are present in both package managers because the former uses the latter.
The owner of this repository requested that we consider Bazel as the single source of truth and that we don't process Conan packages.
The issue is that the Conan packages have more metadata than their equivalent in Bazel. This is because Bazel doesn't have any property for:

• declared license
• authors (it has maintainers which is something else).

Additionally, some Advisors such as VulnerableCode don't report vulnerabilities for Bazel packages, but Conan packages are usually supported. Therefore, curating the pURL of a package could be interesting to fetch those vulnerabilities.

The current curation system in ORT allows to curate the authors and the purl of a package. However the declared license cannot be curated.

Would it be possible to modify PackageCurationData to add the declared license ? If this deemed dangerous, maybe with an unsafe configuration flag ?

If this requested change is not possible, which alternative could fulfill our requirement ? Package configurations don't seem like a good match, because with still want the unaltered results of the scanner.

[sschuberth]

@nnobelis, did you notice #11725 from just a few days ago?

[nnobelis]

What a coincidence :)

On the discussion you linked:

This means you need to manually include any detected license into your concluded license, if it is different from the declared license.

One can achieve this ?
AFAII, if you define a concluded license, the scanner is skipped and there is no detected license ?!

[sschuberth]

AFAII, if you define a concluded license, the scanner is skipped and there is no detected license ?!

That's only the case if skipConcluded is set to true:

ort/model/src/main/resources/reference.yml

Line 178 in 3b9c843

skipConcluded: true

[sschuberth]

A project of our organization is using Bazel and Conan. The same packages are present in both package managers because the former uses the latter.

So Bazel uses Conan. Couldn't we just add an option to BazelConfig that tell the analyzer to amend Bazel metadata with Conan metadata for equivalent packages? That option should work independently of setting bazelDependenciesOnly.