License compatibility checks

[dariozachow]

What would you like to be added:

When analysing SBOMs a check for license incompatibilities between licenses would be nice to have. Other OS-Tools like https://github.com/vinland-technology/flict are doing this, but are not using the SBOM format like grant. Therefore having checks already implemented in grant, would help to find problems within the licenses going beyond allow and deny lists.

Why is this needed:
To discover problems with licenses, which are not that easy to find, without proper knowledge of licenses.

Additional context:

I don't think it's possible to check for every license combination as for some of them the context is important. But it would really helpful to find common problems between licenses. For Reference https://wiki.geant.org/display/GSD/Reference+information+about+OSS+licences+and+tools#ReferenceinformationaboutOSSlicencesandtools-Licencecompatibility

[spiffcs]

Nice suggestion @dariozachow!

I'll take a look at how the other tools are doing this. Ideally there are two modes here where the user can bring a configuration expressing licenses they KNOW to be incompatible as well as grant having some dataset of "obvious" incompatible license(s).

grant check -o json <image:tag> would probably add a new section to the json output to reflect incompatible licenses, but I'll start thinking on a human readable format for the terminal.

[dariozachow]

Thanks for you quick response,

I was thinking about something like having a new flag/config key with the name show-incompatibilities. If set to true the output of grant will look like the same as it does now, but now printing some kind of matrix or just a text saying "X is not compatible with Y". For me the json result is far more important as I want to analyze ten thousands repositories/images, to verify proper licensing