fix(sbom): fix false positives in monthly license audit

Three issues caused the monthly audit to report already-resolved submodules:

1. The audit workflow grepped for "NOASSERTION" anywhere in the output,
   matching the Detected column even when the Final column had a valid
   override (e.g. libtomcrypt detected as NOASSERTION but overridden to
   Unlicense). Changed to grep for "<-- UNRESOLVED" marker instead.

2. Submodules with an explicit NOASSERTION override in license-overrides.yaml
   (like libfc-sensor-api, which is proprietary) were still counted as
   failures. Now treated as "acknowledged" since someone intentionally
   added the override entry.

3. Added missing BSD-3-Clause override for sitl_gazebo-classic (PX4 org
   project with no LICENSE file in repo).

Fixes #26932

Signed-off-by: Ramon Roche <mrpollo@gmail.com>

Author: mrpollo

.github/workflows/sbom_monthly_audit.yml

@@ -39,10 +39,10 @@ jobs:
       - name: Check for issues
         id: check
         run: |
-          if grep -q "NOASSERTION" /tmp/sbom-verify.txt; then
+          if grep -q "<-- UNRESOLVED" /tmp/sbom-verify.txt; then
             echo "has_issues=true" >> "$GITHUB_OUTPUT"
-            # Extract NOASSERTION lines
-            grep "NOASSERTION" /tmp/sbom-verify.txt | grep -v "skipped" > /tmp/sbom-issues.txt || true
+            # Extract only genuinely unresolved license lines
+            grep "<-- UNRESOLVED" /tmp/sbom-verify.txt > /tmp/sbom-issues.txt || true
             # Extract copyleft lines
             sed -n '/Copyleft licenses detected/,/^$/p' /tmp/sbom-verify.txt > /tmp/sbom-copyleft.txt || true
           else

Tools/ci/generate_sbom.py

@@ -478,6 +478,7 @@ def verify_licenses(source_dir):
         sub_dir = source_dir / sub_path
 
         checked_out = sub_dir.is_dir() and any(sub_dir.iterdir())
+        has_explicit_override = sub_path in license_overrides
         if not checked_out:
             detected = "(not checked out)"
             override = license_overrides.get(sub_path, "")
@@ -487,9 +488,12 @@ def verify_licenses(source_dir):
             override = license_overrides.get(sub_path, "")
             final = override if override else detected
 
-        if final == "NOASSERTION" and checked_out:
+        if final == "NOASSERTION" and has_explicit_override:
+            # Explicitly acknowledged in overrides file — not a failure
+            marker = " (acknowledged)"
+        elif final == "NOASSERTION" and checked_out:
             has_noassertion = True
-            marker = " <-- NOASSERTION"
+            marker = " <-- UNRESOLVED"
         elif final == "NOASSERTION" and not checked_out:
             marker = " (skipped)"
         else:
@@ -521,7 +525,7 @@ def verify_licenses(source_dir):
         print()
 
     if has_noassertion:
-        print("FAIL: Some submodules resolved to NOASSERTION. "
+        print("FAIL: Some submodules have unresolved licenses. "
               "Add an entry to Tools/ci/license-overrides.yaml or check the LICENSE file.")
         return 1
 

Tools/ci/license-overrides.yaml

@@ -9,6 +9,12 @@ overrides:
     license: "LGPL-3.0-only AND MIT"
     comment: "Generator is LGPL-3.0; PX4 ships only MIT-licensed generated headers."
 
+  Tools/simulation/gazebo-classic/sitl_gazebo-classic:
+    license: "BSD-3-Clause"
+    comment: >-
+      PX4 org project. No LICENSE file in repo; source files carry
+      BSD-3-Clause headers consistent with the PX4 project license.
+
   src/lib/cdrstream/cyclonedds:
     license: "EPL-2.0 OR BSD-3-Clause"
     comment: >-