[FEATURE] SPDX License factory

[jkowalleck]

have a license factory, a thing that i feed a string and that returns the appropriate license model: expression, named license, spdx license.

required for

• SPDX license instead of expression cyclonedx-python#377
• feat: SPDX license instead of expression cyclonedx-python#378

as a contrast implementation of CycloneDX/cyclonedx-python#410

solution ala

• https://github.com/CycloneDX/cyclonedx-javascript-library/blob/main/src/factories/license.ts
• https://github.com/CycloneDX/cyclonedx-php-library/blob/master/src/Core/Factories/LicenseFactory.php

[jkowalleck]

will prepare a POC for discussion

this would lead to a v2 implementation in module(file) cyclonedx/factory/license.py
and a forward-port to v3

[Jonas-vdb]

Will there be an option to force a specific license model? e.g. Dependency Track does not support expressions yet so even if the string is actually an expression, forcing it to a named license would at least make it visible in Dependency Track (knowing that the matching will not work).

[jkowalleck]

good point. the factory should be supporting both

• string -> Expression|Named|SPDX|None
• string -> Named|SPDX|None

the later one is the thing that is required, so that an implementation in the https://github.com/CycloneDX/cyclonedx-python/ should be a one-liner, then.

[Jonas-vdb]

I'm curious to see how it will determine what the return type should be.

• Expression if there is a logical operator?
• SPDX ID if it is part of the list of possible SPDX license identifiers e.g. https://spdx.org/licenses/ ?
• Named if none of the above apply?

Examples of licenses which are currently present in the BOM we use:

• BSD-like: Not an Expression, not a valid SPDX Identifier so it would be Named?
• MIT: Not an Expression but it is a valid SPDX identifier
• BSD-2-Clause or Apache-2.0: Expression

[jkowalleck]

re: #304 (comment)

the source of SPDX is different, but the rest is basically correc.
just see the JS and PHP implementations linked above as a reference point.

a best-effort detection:

• if value starts with ( and ends with ) => probably an expression -> return license expression
  • i asked the SPDX people if they had a regex for the expression - even they do not have one, so we need to go with best-effort detection.
• else if: lower-cased value is a known/supported SPDX license => return license with id
• else: return license with name

implementation will be good-enough for now and can be seen as a ground for improvements later.

see #305

[Jonas-vdb]

Note: identifying an expression with brackets will not always work.

Example of license expression without brackets:

('License', 'BSD-2-Clause or Apache-2.0')

[jkowalleck]

i am providing a best-effort-implementation - as a ground for improvements.
after i am done with this, you are free to make the SPDX expression detection better.