feature: add support for allowlists

[NyanKiyoshi]

This adds supports for denying all packages, and only allow selected ones by implementing support for mode: "allow".

Fixes: #101

Such as:

rules:
  - pattern: "BSD-*"
    name: "bsd-allow"
  - pattern: "*"
    name: "default-deny-all"
    mode: "deny"

Example

Config:

rules:
  - pattern: "BSD-*"
    name: "bsd-allow"
    mode: "allow"
    reason: "BSD is compatible with our project"
    exceptions:
      - asgiref
  - pattern: "*"
    name: "default-deny-all"
    mode: "deny"
    reason: "All licenses need to be explicitly approved (allowlist)"

Results:

$ ./main.bin check bom.json -o table --show-packages -vvv
[0000]  INFO grant version: [not provided]
[0000] DEBUG config:
  log:
      quiet: false
      level: trace
      file: ""
  dev:
      profile: none
  config: .grant.yaml
  output: table
  show-packages: true
  non-spdx: false
  quiet: false
  osi-approved: false
  rules:
      - name: bsd-allow
        reason: BSD is compatible with our project
        pattern: BSD-*
        severity: ""
        mode: allow
        exceptions:
          - asgiref
      - name: default-deny-all
        reason: All licenses need to be explicitly approved (allowlist)
        pattern: '*'
        severity: ""
        mode: deny
        exceptions: []
[0000] TRACE worker stopped component=eventloop
[0000] TRACE signal exit component=eventloop
* bom.json
  * license matches for rule: bsd-allow; matched with pattern BSD-*
    * BSD-3-Clause
      * asgiref
  * license matches for rule: default-deny-all; matched with pattern *
    * 0BSD
      * Authlib
    * New BSD
      * click-plugins
    * OSI Approved
      * oauthlib
check failed

[NyanKiyoshi]

If I'm not mistaken, the behavior was the same no matter whether it's SPDX or not here:

grant/grant/evalutation/license_evalutation.go

Lines 47 to 77 in 082dc48

	if !l.IsSPDX() && ec.CheckNonSPDX {
	if denied, rule := ec.Policy.IsDenied(l, pkg); denied {
	var reason Reason
	if rule != nil {
	reason = Reason{
	Detail: ReasonLicenseDeniedPolicy,
	RuleName: rule.Name,
	}
	}
	return NewLicenseEvaluation(l, pkg, ec.Policy, []Reason{reason}, false)
	}
	}
	if ec.OsiApproved && l.IsSPDX() {
	if !l.IsOsiApproved {
	return NewLicenseEvaluation(l, pkg, ec.Policy, []Reason{{
	Detail: ReasonLicenseDeniedOSI,
	RuleName: RuleNameNotOSIApproved,
	}}, false)
	}
	}
	if denied, rule := ec.Policy.IsDenied(l, pkg); denied {
	var reason Reason
	if rule != nil {
	reason = Reason{
	Detail: ReasonLicenseDeniedPolicy,
	RuleName: rule.Name,
	}
	}
	return NewLicenseEvaluation(l, pkg, ec.Policy, []Reason{reason}, false)
	}

I believe ec.CheckNonSPDX should be passed to ec.Policy.IsDenied(l, pkg) but I do not know what is the expected behavior. If indeed the code previous code was invalid, then it could be handled in another PR.

[spiffcs]

I can take this on and move ec.CheckNonSPDX into the ec.Policy.IsDenied

The previous code was invalid.

[spiffcs]

@NyanKiyoshi thank you so much for the PR - I'm working on getting #124 integrated and will then come back here, answer questions, and get this shaped up and ready for merge

[spiffcs]

Cleaning up this PR and responding to @NyanKiyoshi questions and getting it incorporated into the next release.

Thank you so so much @NyanKiyoshi for the contribution here

[NyanKiyoshi]

Thank you @spiffcs!