Allow evaluator rule resources from the classpath to be used

[sschuberth]

          > I'm unsure if this is UI issue only: I don't see that there is currently any job configuration parameter for enabling OSADL rules in the Evaluator job.

This is correct, currently it is not possible to use a rule set from the classpath, this would have to be implemented first.

Originally posted by @mnonnenmacher in https://github.com/eclipse-apoapsis/ort-server/issues/613#issuecomment-2214026002

[mnonnenmacher]

I see two options to implement this:

1. Add a separate parameter to EvaluatorJobConfig, like ruleSetFromClasspath.
2. Add a prefix to the existing ruleSet parameter, e.g. classpath://.

Any opinions or other ideas from the community?

[sschuberth]

2. Add a prefix to the existing ruleSet parameter, e.g. classpath://.

A bit similar to this, loading rules could be generalized to loading them from URIs (which can point to files as well as resources) like the EvaluatorCommand does.

[oheger-bosch]

Are rules from the classpath special in some sense? I mean they could be considered part of ORT's API, and there will probably rarely changes in the set of supported rules. If so, they could deserve a more prominent treatment in the evaluator job configuration. For instance, there could be a flag to enable or disable the OSADL rules. Or is it expected that a concrete deployment could add arbitrary resources to the classpath?

Slightly related to this is the question whether multiple rule files should be supported. It could make sense to execute the OSADL rules together with a custom rules file. So far, ORT Server supports only a single rule file, although the Evaluator can run multiple.

[sschuberth]

For instance, there could be a flag to enable or disable the OSADL rules.

That's exactly where this issue is coming from, see https://github.com/eclipse-apoapsis/ort-server/issues/613.

Or is it expected that a concrete deployment could add arbitrary resources to the classpath?

While I was thinking about this as well, discovering such rules would require more work, like at least some naming convention for the rule resources. So while nice to have, this is not a primary use-case IMO. I'm more thinking about the rules built into ORT core.

Slightly related to this is the question whether multiple rule files should be supported.

They should absolutely, IMO. We have little means so far to manage rules code, and one way to cope with long rules files / many rules is to split them into multiple files by use-case or domain (e.g. license vs. security compliance rules).