DJC: Store additional license details in DejaCode on the Package and other models

[DennisClark]

Problem: provide more clarity for "Declared License" vs "Concluded License" .

Benefit: support the completeness of an SBOM.

Create an additional declared_license field on Package. When a package scan is completed update both the current license_expression field and this new declared_license field with the same values. The intention is to retain the declared_license as an historical record, so that the assigned_license field essentially becomes the "concluded license" (we can change the help text on that field).

Store the additional licenses (aka "detected licenses" or "other licenses") from the scan results on the package model as well. This will support deeper analysis and reporting, enabling users to comment on why specific additional licenses impact or do not impact the licensing terms as the package is expected to be used in an organization.

More design details to follow.

[pombredanne]

@DennisClark it could also make sense to store the "other licenses" beyond the main, primary concluded license? ... actually I think you already mention this!

[DennisClark]

@pombredanne right, I meant "other licenses" when I wrote "additional licenses"! We need these to be stored to support really detail-oriented analysis and evaluations for organizations that require that.

[DennisClark]

ultimately we want to standardize on the following license terminology to be in sync with the open source community:

• declared license: a license expression derived from statements in the key files of a software project, such as the NOTICE, COPYING, README, and LICENSE files.
• detected licenses: license expressions derived from clues in the various files of a software project, which are very often third-party software used by the project, or test, sample and documentation files.
• concluded license: a license expression curated from the declared license, where the curator has performed analysis to clarify or correct the declared license, possibly including one or more detected licenses in the license expression. In DejaCode, this is the license expression assigned to a Package.
• effective license: a license expression curated in the context of the usage of a Package in a specific Product context, which may assert a license choice when that is an option. In DejaCode this is a Product Item license expression.

[DennisClark]

We need one more new field to complete this enhancement request. We already have a notes field on Package, but it is a general purpose field. We should create the following:

curation_notes: Text to explain and support the editing of license-expressions and copyright statements on a Package, as well as the usage policy.

[mjherzog]

@DennisClark It seems that CDX 1.6 will support reporting declared license in addition to concluded license.
This is strangely called "acknowledgement" under compoents/licenses/SPDX License Expression:
https://cyclonedx.org/docs/1.6/json/#components_items_licenses_oneOf_i1_items_i0_acknowledgement

[DennisClark]

Note that this issue focuses on Packages (as our first priority) but the model and process changes should apply in the very same manner to Components. Note however that Component license expressions are not normally applied automatically when creating a Component manually, but only when created from a Package.