package.spdx.yml are discarded in MoveTK project

[tsteenbe]

Previously for the MoveTK project (https://github.com/heremaps/movetk) the report would show SpdxDocumentFile entries and now the Analyzer logs shows the below:

10:11:59 08:11:59.287 [main] INFO  org.ossreviewtoolkit.analyzer.managers.SpdxDocumentFile - Discarded the following non-project SPDX files: '/workspace/project/src/include/third_party/miniball/package.spdx.yml', '/workspace/project/src/include/third_party/boost_geometry/package.spdx.yml', '/workspace/project/third_party/Catch2/package.spdx.yml', '/workspace/project/third_party/GsTL/package.spdx.yml'

This regression in functionality was introduced in https://github.com/oss-review-toolkit/ort/pull/3846 but per the https://github.com/spdx/spdx-spec/issues/439 this should work.

[tsteenbe]

MoveTK is just the public example - per spec for this it's not required to have project.spdx.yml for a project. Requiring to have project.spdx.yml would break some of our and other ORT user's use cases.

[neubs-bsi]

From discussion with @tsteenbe on Friday: Idea:

• before starting resolveDefintionFiles() in the analyzer -> create a new function in PackageManager that runs before this and can implement definition file specific rules
• for SpdxDocumentFilethis would be -> if project.spdx.yml exist, delete allpackage.spd.yml, otherwise keep them
• then in the SpdxDocumentFile resolveDependencies: delete discarding of the package.spdx.yml and return package.spdx,yml information if it is a definition file.

EDIT: such a function exists already in ### "mapDefinitionFiles()" -> mapping will just be adapted to above described desired result.

[neubs-bsi]

@tsteenbe do you by any chance still have an analyzer result file from an old MoveTK project that shows how you would expect the results to look?

[tsteenbe]

@neubs-bsi Sure, here you go movetk-november-30-2020-analyzer-result.json.zip