Handling of deprecated SPDX License Identifiers by ORT

[gubechto]

What is the existing functionality and how should it be enhanced?

ORT transforms some deprecated SPDX License Identifiers to valid SPDX License IDs what should be enhanced that ORT handles all deprecated SPDX License Identifiers.

What is the use-case for your enhancement?

In the file https://github.com/oss-review-toolkit/ort/blob/main/utils/spdx/src/main/kotlin/SpdxLicense.kt all current deprecated SPDX License Identifiers are identified correctly. If deprecated SPDX License Identifiers are entered directly to ORT for example by the field “licenseDeclared” in a SPDX document some but not all deprecated SPDX License Identifiers are transformed to valid SPDX License Identifiers. Another comparable scenario would by metadata from package managers. Examples of transformed and not transformed deprecated License Identifiers are shown in the following list (taken from the tab table of an ORT Scan Report):

Transformation to valid SPDX IDs  deprecated SPDX License IDs
Declared Licenses                 Unprocessed Declared Licenses
                                  eCos-2.0
GPL-3.0-only                      GPL-3.0
LGPL-2.1-or-later                 LGPL-2.1+
                                  Nunit
                                  wxWindows

Additional context

License information in source code files is interpreted by ScanCode and handed over to ORT by SPDX license expressions. Testing license information which would result in deprecated SPDX License Identifiers show that ScanCode can handle the current deprecated SPDX License Identifiers correctly. With selected files from ecos-3.0.i386linux.tar.bz2, NUnit-2.5.0.9122-src.zip and wxWidgets-3.2.6.zip ScanCode provides the following results with valid SPDX License Identifiers:

Value             Path                      Start End  Text Relevant for License Identification by ScanCode
                                            Line  Line
GPL-2.0-or-later  ecos-3.0/packages/          8    38  // ####ECOSGPLCOPYRIGHTBEGIN####                                            
WITH eCos-        io/fileio/v3_0/                      // -------------------------------------------
exception-2.0     src/socket.cxx                       // This file is part of eCos, the Embedded Configurable...

zlib-             NUnit-2.5.0.9122/src/       2     2  // This is free software licensed under the NUnit license.
acknowledgement   NUnitFramework/framework/
                  AssertionException.cs

LGPL-2.0-or-later src/generic/bmpsvg.cpp      8     8  // Licence:     wxWindows licence
WITH WxWindows-
exception-3.1

[sschuberth]

Examples of transformed and not transformed deprecated License Identifiers are shown in the following list (taken from the tab table of an ORT Scan Report):

Can you please share the ORT analyzer result file the report was generated from?

[sschuberth]

Unfortunately, SPDX does not maintain a machine-readable list to which (non-deprecated) license a deprecated license maps so, i.e. what its successor is. That's why ORT maintains such mappings as part of simple-license-mapping.yml.

At the example of eCos-2.0, it seems that should be an exception called eCos-exception-2.0 now. But for e.g. Nunit it's unclear to me what the non-deprecated successor should be.