feat(spdx-reporter): Report detected root licenses for packages

The SPDX `licenseDeclared` field for a package [1] is not a declared
license in the ORT sense (which means that it must originate from package
metadata only), but should list any "licenses that have been declared by
the authors of the package" in any way, including as part of a `LICENSE`
file, which in the ORT sense would be a detected license.

To account for that, also use licenses detected in root license files as
licenses "declared" for the package. This solves the concrete case for Go
packages that so far did not have any `licenseDeclared` set, as they are
just pointers to Git repositories which have no metadata associated.

[1]: https://spdx.github.io/spdx-spec/v2.2.2/package-information/#715-declared-license-field

Signed-off-by: Sebastian Schuberth <[email protected]>

Author: sschuberth

plugins/reporters/spdx/src/funTest/assets/disclosure-cli-expected-output.spdx.yml

@@ -32,7 +32,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "MIT"
   name: "github.com/mercedes-benz/disclosure-cli"
   summary: "NONE"
   versionInfo: "388ae2bdf6032a3d5b0ed06ac45267dfc0376a3d"
@@ -46,7 +46,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "(Apache-2.0 OR MIT) AND MIT"
   name: "github.com/BurntSushi/toml"
   summary: "NONE"
   versionInfo: "1.4.0"
@@ -60,7 +60,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "(Apache-2.0 OR MIT) AND MIT"
   name: "github.com/BurntSushi/toml"
   summary: "NONE"
   versionInfo: "1.4.0"
@@ -74,7 +74,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "ISC"
   name: "github.com/davecgh/go-spew"
   summary: "NONE"
   versionInfo: "1.1.1"
@@ -88,7 +88,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "ISC"
   name: "github.com/davecgh/go-spew"
   summary: "NONE"
   versionInfo: "1.1.1"
@@ -102,7 +102,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "Apache-2.0"
   name: "github.com/inconshreveable/mousetrap"
   summary: "NONE"
   versionInfo: "1.1.0"
@@ -116,7 +116,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "Apache-2.0"
   name: "github.com/inconshreveable/mousetrap"
   summary: "NONE"
   versionInfo: "1.1.0"
@@ -130,7 +130,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "MIT"
   name: "github.com/jinzhu/configor"
   summary: "NONE"
   versionInfo: "1.2.2"
@@ -144,7 +144,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "MIT"
   name: "github.com/jinzhu/configor"
   summary: "NONE"
   versionInfo: "1.2.2"
@@ -158,7 +158,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "BSD-3-Clause"
   name: "github.com/pmezard/go-difflib"
   summary: "NONE"
   versionInfo: "1.0.0"
@@ -172,7 +172,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "BSD-3-Clause"
   name: "github.com/pmezard/go-difflib"
   summary: "NONE"
   versionInfo: "1.0.0"
@@ -186,7 +186,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "Apache-2.0"
   name: "github.com/spf13/cobra"
   summary: "NONE"
   versionInfo: "1.8.1"
@@ -200,7 +200,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "Apache-2.0"
   name: "github.com/spf13/cobra"
   summary: "NONE"
   versionInfo: "1.8.1"
@@ -215,7 +215,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "BSD-3-Clause"
   name: "github.com/spf13/pflag"
   summary: "NONE"
   versionInfo: "1.0.5"
@@ -230,7 +230,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "BSD-3-Clause"
   name: "github.com/spf13/pflag"
   summary: "NONE"
   versionInfo: "1.0.5"
@@ -244,7 +244,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "MIT"
   name: "github.com/stretchr/testify"
   summary: "NONE"
   versionInfo: "1.8.2"
@@ -258,7 +258,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "MIT"
   name: "github.com/stretchr/testify"
   summary: "NONE"
   versionInfo: "1.8.2"
@@ -273,7 +273,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "Apache-2.0 AND Apache-2.0 AND Apache-2.0 AND MIT AND MIT AND MIT"
   name: "gopkg.in/yaml.v3"
   summary: "NONE"
   versionInfo: "3.0.1"
@@ -288,7 +288,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "Apache-2.0 AND Apache-2.0 AND Apache-2.0 AND MIT AND MIT AND MIT"
   name: "gopkg.in/yaml.v3"
   summary: "NONE"
   versionInfo: "3.0.1"

plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.json

@@ -46,7 +46,7 @@
     "filesAnalyzed" : false,
     "homepage" : "first package's homepage URL",
     "licenseConcluded" : "BSD-2-Clause AND BSD-3-Clause AND MIT",
-    "licenseDeclared" : "BSD-3-Clause AND (MIT OR GPL-2.0-only)",
+    "licenseDeclared" : "Apache-2.0 AND BSD-2-Clause AND BSD-2-Clause AND BSD-2-Clause AND BSD-2-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND (GPL-2.0-only OR MIT) AND (GPL-2.0-only OR MIT) AND (GPL-2.0-only OR MIT) AND MIT AND MIT AND MIT",
     "name" : "first-package",
     "summary" : "A package with all supported attributes set, with a VCS URL containing a user name, and with two scan results for the VCS containing copyright findings matched to a license finding.",
     "versionInfo" : "0.0.1"
@@ -63,7 +63,7 @@
     "hasFiles" : [ "SPDXRef-File-1" ],
     "homepage" : "first package's homepage URL",
     "licenseConcluded" : "NOASSERTION",
-    "licenseDeclared" : "BSD-3-Clause AND (MIT OR GPL-2.0-only)",
+    "licenseDeclared" : "Apache-2.0 AND BSD-2-Clause AND BSD-2-Clause AND BSD-2-Clause AND BSD-2-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND (GPL-2.0-only OR MIT) AND (GPL-2.0-only OR MIT) AND (GPL-2.0-only OR MIT) AND MIT AND MIT AND MIT",
     "licenseInfoFromFiles" : [ "Apache-2.0", "BSD-2-Clause" ],
     "name" : "first-package",
     "packageVerificationCode" : {
@@ -87,7 +87,7 @@
     "filesAnalyzed" : false,
     "homepage" : "first package's homepage URL",
     "licenseConcluded" : "NOASSERTION",
-    "licenseDeclared" : "BSD-3-Clause AND (MIT OR GPL-2.0-only)",
+    "licenseDeclared" : "Apache-2.0 AND BSD-2-Clause AND BSD-2-Clause AND BSD-2-Clause AND BSD-2-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND (GPL-2.0-only OR MIT) AND (GPL-2.0-only OR MIT) AND (GPL-2.0-only OR MIT) AND MIT AND MIT AND MIT",
     "name" : "first-package",
     "summary" : "A package with all supported attributes set, with a VCS URL containing a user name, and with two scan results for the VCS containing copyright findings matched to a license finding.",
     "versionInfo" : "0.0.1"
@@ -103,7 +103,7 @@
     "filesAnalyzed" : false,
     "homepage" : "NONE",
     "licenseConcluded" : "NOASSERTION",
-    "licenseDeclared" : "MIT AND NOASSERTION",
+    "licenseDeclared" : "MIT",
     "name" : "fourth-package",
     "summary" : "A package with partially mapped declared license.",
     "versionInfo" : "0.0.1"
@@ -119,7 +119,7 @@
     "filesAnalyzed" : false,
     "homepage" : "NONE",
     "licenseConcluded" : "NOASSERTION",
-    "licenseDeclared" : "NOASSERTION",
+    "licenseDeclared" : "NONE",
     "name" : "second-package",
     "summary" : "A package with minimal attributes set.",
     "versionInfo" : "0.0.1"
@@ -135,7 +135,7 @@
     "filesAnalyzed" : false,
     "homepage" : "NONE",
     "licenseConcluded" : "NOASSERTION",
-    "licenseDeclared" : "NOASSERTION",
+    "licenseDeclared" : "GPL-3.0-only",
     "name" : "seventh-package",
     "summary" : "A package with a source artifact scan result.",
     "versionInfo" : "0.0.1"
@@ -156,7 +156,7 @@
     "hasFiles" : [ "SPDXRef-File-2", "SPDXRef-File-3" ],
     "homepage" : "NONE",
     "licenseConcluded" : "NOASSERTION",
-    "licenseDeclared" : "NOASSERTION",
+    "licenseDeclared" : "GPL-3.0-only",
     "licenseInfoFromFiles" : [ "GPL-3.0-only" ],
     "name" : "seventh-package",
     "packageVerificationCode" : {
@@ -192,7 +192,7 @@
     "filesAnalyzed" : false,
     "homepage" : "NONE",
     "licenseConcluded" : "NOASSERTION",
-    "licenseDeclared" : "NOASSERTION",
+    "licenseDeclared" : "NONE",
     "name" : "third-package",
     "summary" : "A package with only unmapped declared license.",
     "versionInfo" : "0.0.1"

plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.yml

@@ -55,7 +55,10 @@ packages:
   filesAnalyzed: false
   homepage: "first package's homepage URL"
   licenseConcluded: "BSD-2-Clause AND BSD-3-Clause AND MIT"
-  licenseDeclared: "BSD-3-Clause AND (MIT OR GPL-2.0-only)"
+  licenseDeclared: "Apache-2.0 AND BSD-2-Clause AND BSD-2-Clause AND BSD-2-Clause\
+    \ AND BSD-2-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause\
+    \ AND BSD-3-Clause AND BSD-3-Clause AND (GPL-2.0-only OR MIT) AND (GPL-2.0-only\
+    \ OR MIT) AND (GPL-2.0-only OR MIT) AND MIT AND MIT AND MIT"
   name: "first-package"
   summary: "A package with all supported attributes set, with a VCS URL containing\
     \ a user name, and with two scan results for the VCS containing copyright findings\
@@ -75,7 +78,10 @@ packages:
   - "SPDXRef-File-1"
   homepage: "first package's homepage URL"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "BSD-3-Clause AND (MIT OR GPL-2.0-only)"
+  licenseDeclared: "Apache-2.0 AND BSD-2-Clause AND BSD-2-Clause AND BSD-2-Clause\
+    \ AND BSD-2-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause\
+    \ AND BSD-3-Clause AND BSD-3-Clause AND (GPL-2.0-only OR MIT) AND (GPL-2.0-only\
+    \ OR MIT) AND (GPL-2.0-only OR MIT) AND MIT AND MIT AND MIT"
   licenseInfoFromFiles:
   - "Apache-2.0"
   - "BSD-2-Clause"
@@ -101,7 +107,10 @@ packages:
   filesAnalyzed: false
   homepage: "first package's homepage URL"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "BSD-3-Clause AND (MIT OR GPL-2.0-only)"
+  licenseDeclared: "Apache-2.0 AND BSD-2-Clause AND BSD-2-Clause AND BSD-2-Clause\
+    \ AND BSD-2-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause AND BSD-3-Clause\
+    \ AND BSD-3-Clause AND BSD-3-Clause AND (GPL-2.0-only OR MIT) AND (GPL-2.0-only\
+    \ OR MIT) AND (GPL-2.0-only OR MIT) AND MIT AND MIT AND MIT"
   name: "first-package"
   summary: "A package with all supported attributes set, with a VCS URL containing\
     \ a user name, and with two scan results for the VCS containing copyright findings\
@@ -117,7 +126,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "MIT AND NOASSERTION"
+  licenseDeclared: "MIT"
   name: "fourth-package"
   summary: "A package with partially mapped declared license."
   versionInfo: "0.0.1"
@@ -131,7 +140,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "NONE"
   name: "second-package"
   summary: "A package with minimal attributes set."
   versionInfo: "0.0.1"
@@ -145,7 +154,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "GPL-3.0-only"
   name: "seventh-package"
   summary: "A package with a source artifact scan result."
   versionInfo: "0.0.1"
@@ -165,7 +174,7 @@ packages:
   - "SPDXRef-File-3"
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "GPL-3.0-only"
   licenseInfoFromFiles:
   - "GPL-3.0-only"
   name: "seventh-package"
@@ -197,7 +206,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "NOASSERTION"
+  licenseDeclared: "NONE"
   name: "third-package"
   summary: "A package with only unmapped declared license."
   versionInfo: "0.0.1"