[bug] ClearlyDefined certifier failing on certain packages

[jeffmendoza]

Describe the bug

Sometimes get:

"unable to ingest document due to ingestion error clearlydefined : error assembling graphs for "clearlydefined" : ingestLicenses failed with error: IngestLicenses failed with error: input: ingestLicenses LicenseRef name provided without inline.\n"

To Reproduce

Have a package where ClearlyDefined returns "LicenseRef-scancode-public-domain" or other "LicenseRef..." for the declared or discovered license.

Additional context

• ClearlyDefined used to only use license identifiers on the SPDX License List and use "NOASSERTION" for any other license.
• GUAC Ontology is designed to support SPDX License identifiers as well as licenses not on the list using "LicensRef" and the full text of the license (this is how they are included in SPDX SBOMs). The GUAC gql server validates new License nodes upon insertion to the graph to make sure the full text is included if the identifier starts with "LicenseRef"
• The CD certifier expects all license identifiers to be SPDX identifiers and inserts them into the graph without validation.
• CD has now added new support for Scancode LicenseRef to support non-SPDX licenses.
• This means the CD certifier will now attempt to insert those directly, which fails with the message above.

Todo

• Short term: Have the CD certifier ignore license identifiers that start with "LicenseRef" and not try to create GUAC License nodes for those. The license expression strings can still contain those. Update CD certifier to ignore LicenseRef licenses #2134

• Later: Investigate the Scancode LicenseRef support in ClearlyDefined and determine how we can get the license text when those are found in CD definitions. Then, update the certifier to put that text into GUAC License nodes when "LicenseRef" identifiers are found.