Need an endpoint to get the license findings in a package

[Etsija]

Either a dedicated endpoint for this is needed, or then this endpoint needs to be extended to provide with the detected licenses (which are available after the Scanner job is completed).

[mnonnenmacher]

@Etsija Do you mean just the detected license as one SPDX expression, or the list of license findings?

If the latter, this should be a separate endpoint to properly support pagination.
Should the returned data also include any applied license finding curations or path excludes? For the user it would be very helpful to show this information.

[Etsija]

Some thoughts:

• yes, the list of license findings, which we would display alongside the declared licenses column, to easily identify discrepancies
• do you really think it would need a separate paginated endpoint? Are we expecting the list to be very long, potentially?
• as for the license finding curations and path excludes, I'd like to involve @sschuberth in the discussion, as I believe that would tie the retrieval of this data to the Evaluator/PackageConfigurationProvider and alter the original use case we had in mind

[sschuberth]

do you really think it would need a separate paginated endpoint? Are we expecting the list to be very long, potentially?

Yes and yes, but IIUC that question referred to the case of having a dedicated license findings (which we probably want to have, I means it's already there but empty; however, that's a slightly different topic of displaying detected licenses as part of the packages view).

Should the returned data also include any applied license finding curations or path excludes?

I believe at least the dedicated license findings view should optionally take them into account (which reminds me a bit of #2071, BTW). But also for the display of detect licenses in the packages view it should be the case, I believe.

@mnonnenmacher, I propose to have a short meeting to discuss the details.