Licenses declared as part of an SPDX file should be inherited by nested projects

[sschuberth]

When using a project.spdx.yml file to declare a license for a directory, that declared license should by default also apply to nested projects in that directory. Example: The SPDX file declares "MIT" for directory "./external/lib", then ORT should not complain about a nested "./external/lib/python/requirements.txt" "./external/lib/python/setup.py" to not have any license declared.

[tsteenbe]

@sschuberth you can't declare a license for python's requirements.txt so this is a bug in ORT. Licenses for Python can be declared in setup.py or setup.cfg. Recommend you file a separate ticket to fix ORT's requirements.txt handling.

[sschuberth]

Then requirements.txt was just a badly chosen example; I could have used setup.py as well. The point is that in the SPDX case, which internally rather operates on a directory level than on a project level, what you usually want is to declare a directory, including all its contents, to be under a certain license. So ORT should not complain about a nested setup.py which does not declare a license, but inherit / amend the license declared via SPDX.