Include license info for deb pkgs in SPDX reports

Tern must scan the copyright files to gather any type of license
information for Debian packages and uses the debian-inspector[1]
library to do this. Once scanned, Debian licenses found are stored
in the `pkg_licenses` field in the package data model (vs `pkg_license`
field for packages found using the package manager). This was causing
them not to be reported in SPDX documents.

This commit enables Tern to report `pkg_licenses` found in Debian
packages as `LicenseRefs` for both tag value and json SPDX formats.

Resolves #1188

[1] https://github.com/nexB/debian-inspector

Signed-off-by: Rose Judge <[email protected]>

Author: rnjudge

tern/formats/spdx/spdxjson/image_helpers.py

@@ -29,6 +29,9 @@ def get_image_extracted_licenses(image_obj):
         for package in layer.packages:
             if package.pkg_license:
                 unique_licenses.add(package.pkg_license)
+            # Add debian licenses from copyright text as one license
+            if package.pkg_licenses:
+                unique_licenses.add(", ".join(package.pkg_licenses))
     extracted_texts = []
     for lic in list(unique_licenses):
         if not spdx_common.is_spdx_license_expression(lic):

tern/formats/spdx/spdxjson/package_helpers.py

@@ -30,6 +30,10 @@ def get_source_package_dict(package, template):
     JSON document.'''
     mapping = package.to_dict(template)
     _, src_ref = spdx_common.get_package_spdxref(package)
+    declared_lic = mapping['PackageLicenseDeclared']
+    # Define debian licenses from copyright text as one license 
+    if package.pkg_format == 'deb':
+        declared_lic = ', '.join(package.pkg_licenses)
     package_dict = {
         'name': mapping['SourcePackageName'],
         'SPDXID': src_ref,
@@ -40,7 +44,7 @@ def get_source_package_dict(package, template):
         'filesAnalyzed': False,  # always false for packages
         'licenseConcluded': 'NOASSERTION',  # always NOASSERTION
         'licenseDeclared': spdx_common.get_package_license_declared(
-            mapping['PackageLicenseDeclared']),
+            declared_lic),
         'copyrightText': mapping['PackageCopyrightText'] if
         mapping['PackageCopyrightText'] else 'NONE',
         'comment': json_formats.source_package_comment

tern/formats/spdx/spdxtagvalue/image_helpers.py

@@ -56,6 +56,9 @@ def get_image_packages_license_block(image_obj):
         for package in layer.packages:
             if package.pkg_license:
                 licenses.add(package.pkg_license)
+            # Add debian licenses from copyright text as one license
+            if package.pkg_licenses:
+                licenses.add(", ".join(package.pkg_licenses))
     for lic in licenses:
         if not spdx_common.is_spdx_license_expression(lic):
             block += spdx_formats.license_id.format(

tern/formats/spdx/spdxtagvalue/package_helpers.py

@@ -97,8 +97,13 @@ def get_package_block(package_obj, template):
     # Package License Concluded (always NOASSERTION)
     block += 'PackageLicenseConcluded: NOASSERTION\n'
     # Package License Declared (use the license ref for this)
+    declared_lic = mapping['PackageLicenseDeclared']
+    if package_obj.pkg_format == 'deb':
+        # Define debian licenses from copyright text as one license
+        declared_lic = ', '.join(package_obj.pkg_licenses)
+    # List debian package licenses collected from copyright texts
     block += 'PackageLicenseDeclared: ' + spdx_common.get_package_license_declared(
-        mapping['PackageLicenseDeclared']) + '\n'
+        declared_lic) + '\n'
     # Package Copyright Text
     if mapping['PackageCopyrightText']:
         block += 'PackageCopyrightText:' + spdx_formats.block_text.format(