Fill in Declared License field in SBOM

[SamuraiAku]

Includes declared license and package summary. That costs a user with each query and requires a Github login? Need to research that. Include flags to not use the API and to tell the user how many API actions an SBOM would cost them without actually doing it.

[ericphanson]

One approach is to download the code and then introspect the repo for the license and attempt to detect it. That's what PackageAnalyzer.jl does (with LicenseCheck.jl providing an interface to the go library licensecheck). It could be an option for this package to rely on PackageAnalyzer to do that; you can do pkg = analyze("Pluto"; version=v"0.18.0") for example, which will use all installed registries to find that version of the package, or pass a local path, url, etc.

See e.g. https://juliaecosystem.github.io/PackageAnalyzer.jl/dev/#License-information

This does not get the github summary though, since that isn't actually in the repo itself.

[SamuraiAku]

Does LicenseCheck.jl require the user to install Go themselves? I want to make this package accessible to the entire Julia community and I don't think a requirement like that is going to work.

No need to download code. PkgToSoftwareBOM only work on an active environment which means all the code was already downloaded by Pkg.

[ericphanson]

LicenseCheck uses a JLL, and PackageAnalyzer will reuse the code downloaded by Pkg if it is available.

[SamuraiAku]

@ericphanson I have a pull request in LicenseCheck.jl that will allow it to scan sub-directories. I could implement the directory scanning within PkgToSoftwareBOM but I think it's cleaner implemented within the package. Do you think there's a possibility of this being merged and released in the near future? Thanks.