LicenseFindingCuration: Allow matching multiple detected licenses

[fviernau]

A common use case which needs improval:

A source file is dual license and ScanCode detects both licenses separately, e.g. GPL-2.0-only, MIT.
If one wants to curate only that single issue, then using a license finding curation is the only choice.
However, currently license finding curations can only match a single detected license. So, in order to fix up the two findings one has the following two options:

1. Use two license finding curations which are narrow (less risky) but exhibit some redundancy e.g.

  - path: "flower/static/js/jquery-ui-1-8-15.min.js"
    concluded_license: "GPL-2.0-only OR MIT"
    detected_license: "GPL-2.0-only"
    reason: "INCORRECT"
    comment: "Code comment states 'Dual licensed under the MIT or GPL Version 2 licenses', see \
      https://github.com/mher/flower/blob/v0.9.7/flower/static/js/jquery-ui-1-8-15.min.js#L5."
  - path: "flower/static/js/jquery-ui-1-8-15.min.js"
    concluded_license: "GPL-2.0-only OR MIT"
    detected_license: "MIT"
    reason: "INCORRECT"
    comment: "Code comment states 'Dual licensed under the MIT or GPL Version 2 licenses', see \
      https://github.com/mher/flower/blob/v0.9.7/flower/static/js/jquery-ui-1-8-15.min.js#L5."

2. Use one license finding curation but don't match the detected license which is broader (more risky) but without that redundancy e.g.:

  - path: "flower/static/js/jquery-ui-1-8-15.min.js"
    concluded_license: "GPL-2.0-only OR MIT"
    reason: "INCORRECT"
    comment: "Code comment states 'Dual licensed under the MIT or GPL Version 2 licenses', see \
      https://github.com/mher/flower/blob/v0.9.7/flower/static/js/jquery-ui-1-8-15.min.js#L5."

Depending on the risk appetite of the user option 2 may not be an option actually.
The example was found here which should be improved after this feature is implemented and until then maybe reverted as too risky.

So, to better address this use case this proposal is to allow providing a list of detected licenses where only one list item must match, e.g.:

  - path: "flower/static/js/jquery-ui-1-8-15.min.js"
    concluded_license: "GPL-2.0-only OR MIT"
    detected_license: 
    - "MIT"
    - "GPL-2.0-only"
    reason: "INCORRECT"
    comment: "Code comment states 'Dual licensed under the MIT or GPL Version 2 licenses', see \
      https://github.com/mher/flower/blob/v0.9.7/flower/static/js/jquery-ui-1-8-15.min.js#L5."

A more generalized approach could be:

  - concluded_license: "GPL-2.0-only OR MIT"
    reason: "INCORRECT"
    comment: "Code comment states 'Dual licensed under the MIT or GPL Version 2 licenses', see \
      https://github.com/mher/flower/blob/v0.9.7/flower/static/js/jquery-ui-1-8-15.min.js#L5."
    findings: 
     - path: "flower/static/js/jquery-ui-1-8-15.min.js"
       detected_license: "MIT"
       start_lines: 1
       line_count: 23
     - path: "flower/static/js/jquery-ui-1-8-15.min.js"
       detected_license: ""GPL-2.0-only"
       start_lines: 18
       line_count: 36

Note: Goal of this description is to explain the problem and have a rough idea for potential solutions. The proposed solutions are not meant to be exact, but a starting point for discussions.

[tsteenbe]

I like the simplicity of using an array for detected_license compared more verbose 2nd option with a findings with multiple paths. The later is more powerful but would be a breaking change.

[mnonnenmacher]

I also have a tendency towards the first approach, but I also see valid use cases for the second. Whatever approach is implemented it should definitely be backward compatible, to not break existing configurations.
I would suggest to discuss this topic in the dev meeting tomorrow.