feat: Support SPDX "user defined license reference" (aka LicenseRef)

[ma-ble]

What would you like to be added:

We are using a SPDX "user defined license references" (aka LicenseRef), which are not defined by a standard SPDX license identifier. When we let grant check these licenses, at the beginning we get the error message - "unable to get license by ID: LicenseRef-XXXX; no matching spdx id found sbom.json".

> grant check sbom.json 
[0000] ERROR unable to get license by ID: LicenseRef-XXXX; no matching spdx id found 
* sbom.json

> grant list sbom.json 
[0000] ERROR unable to get license by ID: LicenseRef-XXXX; no matching spdx id found
* sbom.json

I would like to be able to add SPDX "user defined license reference" (aka LicenseRef) in Grant - for example via the .grants.yaml configuration file.

Why is this needed:

The support of SPDX "user defined license references" (aka LicenseRef) in Grant would be advantageous in conjunction with Syft (creating SBOMs), since Syft sets spdxExpressions in the SBOM. This would enable a seamless and automated check of the licenses.

Additional context:

[willmurphyscode]

It sounds like you have SPDX JSON SBOMs with some user-defined licenses in them, and you'd like grant list and grant check to work with these, so that grant list lists the user-defined license IDs with all the other license IDs, and grant check can be configured to allow or block user defined licenses. Is that correct @ma-ble ?

This would be a great feature, but we have one question about how grant check would work. Because user-defined license IDs are only unique within a particular SBOM, user-defined license License-Ref-0003, for example, might mean something completely different in one SBOM versus another, so just putting allow: License-Ref-0003 in Grant's config might allow two completely different licenses through. One possible solution is that the person putting user defined licenses in the Grant config makes sure that Licenese-Ref-0003 always means the same thing in all their licenses, but this seems like it might be brittle.

@ma-ble please let us know if we've understood correctly, and if you have an opinion on the problem where user defined license refs are only unique within an SBOM.

[ma-ble]

Your assumptions about my intentions are correct.

We have our own custom SPDX licenses (e.g. License-Ref-0003) that are only valid within our space and would like to be able to check for these licenses with "grant check".

An extension of the Grant`s config so that user-defined SPDX licenses can be entered would be very suitable for this use case.

[holbizmetrics]

We hit the same issue from the CycloneDX side. Our TwinCAT PLC SBOM enricher uses LicenseRef-Beckhoff-SLA in license.name for proprietary vendor software. Grant's .grant.yaml allow list matches the identifier correctly (18 allowed), but the ERROR lines on every component add noise to CI pipelines.

We tried switching to a plain descriptive name (Beckhoff Software License Agreement) to avoid the SPDX lookup - the errors disappeared, but so did the allow-list matching (everything classified as denied).

Our workaround: keep LicenseRef-Beckhoff-SLA, accept the cosmetic errors. require-known-license: false in .grant.yaml.

Re: the uniqueness concern, in controlled enterprise environments, LicenseRef identifiers are standardized across all SBOMs. The brittleness risk applies to cross-org scenarios, not internal pipelines.