Offer a well-defined but simple way to declare additional packages

[sschuberth]

Independently of #9878, we need an easy way to declare additional packages for an ORT analyzer run to cover cases where packages cannot be determined automatically via one of the existing package managers.

Historically, our fallback for that case was the SpdxDocumentFile analyzer, allowing the user to put SPDX files in the file tree to get picked up and parsed by the analyzer. However, this approach has several drawbacks:

• SPDX is hard to write by hand (even the SPDX Lite profile).
• SPDX has too many ways to express the semantically same thing with different syntax (e.g. the DEPENDENCY_OF vs DEPENDS_ON relations).
• there may be other reasons for SPDX files being present in the file tree, which should not get picked up.

For a while now, the cli-helper offers a CreateAnalyzerResultFromPackageListCommand as a simpler way to declared additional packages via a (flat) PackageList. However, that command needs to be run separately, and creates a stand-alone ORT analyzer result, which makes integration with existing results hard (also see #4364). Any easy way to solve that would be to come up with a conventional filename for such package lists, and create a package manager implementation for them, very similar to the current SpdxDocumentFile package manager.

Finally, also other approaches exist to simplify declaration of packages metadata, like ABCD or kissbom.

This issue is about finding our preferred way of "injecting" additional packages into an ORT analyzer run.

[tsteenbe]

Ideally we add support for declaring package in packages for projects and dependencies .. this would address use cases like

• Binary package included in a project or package
• Closed source package as binary or archive stored within a project or dependency as "vendored" dependency

[fviernau]

Maybe we can offer multiple ways, one of them being enhancing the mentioned helper-cli command, to add packages from the package list to a given analyzer result.

[mnonnenmacher]

We had a discussion about this topic in a smaller round at the community day and collected some ideas:

• The helper-cli should be turned into a package manager after adding some missing features, to solve the issue that analyzer results cannot be merged.
• Missing features we identified (based on the example):
  • Support all project and package properties (like homepage URL and so on)
  • Support project dependencies by adding a dependency to another package list file.
• Some ideas and open points:
  • Maybe support also project dependencies to projects from other package managers?
  • Should it really be possible to set a concluded license for a package?
  • With SPDX we had the use case that a file describes only a package, so maybe a package list file should allow to have a package instead of a project as root object?
  • Maybe support PURLs as alternative or instead of ORT identifiers.
  • We talked about if dependency trees should be supported within a package list but concluded it adds too much complexity for little value.