feat: Request ability to ignore licenseConcluded

[f16falcon4]

What would you like to be added:
I would like to have the ability to tell Grant to ignore licenseConcluded and only process licenseDeclared entries for a given package.

Why is this needed:
Per the description of licenseConcluded (https://spdx.org/rdf/spdx-terms-v2.0/objectproperties/licenseConcluded___-571936219.html), the value specified is based on what the SPDX generator thinks is the appropriate license...essentially a best guess. When generating a Grant license list for the tomcat:9.0.98-jdk17 container on DockerHub, I found that the license listed for the fontconfig package didn't match the contents of the fontconfig COPYING file, nor any other file listed under the SBOM sourceInfo section. In the Syft SBOM, the licenseDeclared section was listed as NOASSERTION but licenseConcluded listed fontconfig as under the HPND-sell-variant license. The text of this license (https://spdx.org/licenses/HPND-sell-variant.html) does not match what's in the COPYING file. Being able to ignore best guesses would help when trying to get team members and legal departments to trust the output of licenses, especially if licenses are used in software approval processes.

Additional context:
None

[kzantow]

Hi @f16falcon4 -- it sounds like you are asking to ignore concluded licenses for the license checks, is that what you are hoping to accomplish?

[f16falcon4]

@kzantow yes, exactly. Grant should not process those licenses in this scenario. The concern is primarily around uncertainty about the validity of concluded licenses, so I would like to be able to remove that uncertainty when running Grant.

[spiffcs]

I didn't get to this one this pass of the major refactor, but am bringing it forward to get done as a fast follow in the coming week(s).

[spiffcs]

👋 @f16falcon4 happy to add this feature but wanted to ask more about the License FP:

concern is primarily around uncertainty about the validity of concluded licenses

When I check the copyright for the fontconfig package in tomcat:9.0.98-jdk17 I see:
/usr/share/doc/fontconfig/copyright

This package was debianized by Colin Walters <walters@debian.org> on
Sun, 13 Oct 2002 15:01:50 -0400

It was downloaded from http://www.fontconfig.org/

Upstream Author: Keith Packard

Copyright:

Copyright © 2001,2003 Keith Packard

Permission to use, copy, modify, distribute, and sell this software and its
documentation for any purpose is hereby granted without fee, provided that
the above copyright notice appear in all copies and that both that
copyright notice and this permission notice appear in supporting
documentation, and that the name of Keith Packard not be used in
advertising or publicity pertaining to distribution of the software without
specific, written prior permission.  Keith Packard makes no
representations about the suitability of this software for any purpose.  It
is provided "as is" without express or implied warranty.

KEITH PACKARD DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
EVENT SHALL KEITH PACKARD BE LIABLE FOR ANY SPECIAL, INDIRECT OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.

We use https://github.com/google/licenseclassifier to try and recognize and attribute SPDX ID to license text.
One of the flags being raised is the attribution clause looks very similar to that of https://spdx.org/licenses/HPND-sell-variant.html

I know upstream is MIT Modern: https://gitlab.freedesktop.org/fontconfig/fontconfig/-/blob/main/COPYING
But I'm a little confused how this should work from the SBOM detection and analysis.

Let me try and see if we can make some headway on syft to be able to grab better upstream license data rather than what ever comes from the COPYING files of repackaged software given they retain their upstream licenses.