Evaluate SPDX attributes as candidates for source provenance

[abderrahim]

#2009 added the possibility to manually annotate sources with additional source provenance information that isn't part of the source configuration, such as the home page and the issue tracker. As part of the https://gitlab.com/BuildStream/buildstream-sbom/ project, we're trying to use the source provenance information to generate SPDX SBoMs for buildstream projects. These manual annotations look like a good starting point to add more information to the SBoM.

I've looked into the SPDX package information specification for what would be a good to include. Here is the list and my comments on it:

• name -> currently guessing it in buildstream-sbom, we should have a way for a user to override a bad guess
• SPDX identifier -> spdx specific, generated by buildstream-sbom. Not needed.
• version -> already have a way to guess and override the guess.
• file name -> I think this can safely be extracted from the current url
• supplier / originator -> we want this
• download location -> currently provided by the URL
• Files analyzed -> spdx document specific, not needed
• verification code -> to be computed by the sdpx generator, not needed
• checksum -> we already have SH256 where it makes sense, doesn't make sense to compute the others checksums
• home page -> added by PR 2009
• Source information -> free form field, probably doesn't make sense to have it
• Concluded license -> we should probably add it
• licenses information from files -> Should be obtained by running a license checker, not needed
• Declared license -> we should probably add it
• Comments on license -> free form field, probably not needed
• Copyright text -> I don't know. Seems useful, maybe we should have it.
• summary description -> Not sure, could probably have a single description for both this and the next one
• detailed description -> see above
• comment -> probably doesn't make sense to have
• External reference -> Can have multiple different types of external references. They are listed in a different page: https://spdx.github.io/spdx-spec/v2.3/external-repository-identifiers/. Useful, but it's too complicated to deal with. This is probably where we would stuff the git repository as requested by Store marked directories in Artifact proto #2093
• External reference comment -> another free form field, not needed.
• attribution text -> similar to copyright text, but can be used for a notice required by the license.
• Primary Package Purpose -> Not sure it makes a lot of sense given the way we're dealing with sources
• Release Date / Built Date / Valid Until Date -> probably not

Please let me know what you think.