evaluator passes wrong detected license to `rules.kts` when license choice was made

[fviernau]

Given:

1. Detected license: BSD-3-Clause OR GPL-2.0-only.
2. License choice in ort.yml

   license_choices:
   package_license_choices:
   - package_id: "NPM::node-forge:1.3.1"
   license_choices:
   - given: "BSD-3-Clause OR GPL-2.0-only"
     choice: "BSD-3-Clause"

3. The "effective license" shown in the WebApp indicates that the license choice eliminated GPL-2.0-only.

Reproduce:

1. Run evaluator with upstream ort-config policy rules

Outcome: GPL-2.0-only is flagged for NPM::node-forge:1.3.1.

[fviernau]

@MarcelBochtler I just realized yesterday that you've also been looking into a license choice bug and that it may be related. I haven't found a GitHub issue for "your" bug. If it doesn't exist, we can just use this ticket. It would be great if you could provide reproduce steps for the issue you observed.

[MarcelBochtler]

No, there is no issue for the issue I discovered and reproduced in this PR: #6721

The steps to reproduce this are mentioned in the PR as well:

Whenever a SpdxExpression contains an AND operator, the DNF needs to be calculated again. For instance the correct DNF for a AND (b OR c OR d) is (a AND b) OR (a AND c) OR (a AND d). Before, the calculated DNF for this expression was (a AND (b OR c)) OR (a AND d) which is not a valid DNF.

This can best be shown in a unit test as done in the PR.

The main issue that arises if the DNF is incorrectly calculated, is exactly what you described in this issue: The license choice cannot be applied.

[fviernau]

This might have been fixed by https://github.com/oss-review-toolkit/ort/pull/8106. Should be re-tested.