About using spdx to handle license and copyright in VTK

We recently improved a bit how licenses are handled in ParaView and VTK, and now third party licenses are easily listed, module by module, in the install directory of VTK.

While this is a great improvement, we need to look further, into the use of SPDX license identifier, not only to remove the header in every single VTK source file but also to be able to generate a SBOM associated with a compiled version of VTK.

The idea is to (optionaly) integrate spdx generation into the build system of VTK.
When building a VTK module, the spdx headers of each file used to build the module will be parsed in order to create a .spdx file for the module.

Once all the .spdx files are created, tools to merge sbom could be used to merge all .spdx into one.

In essence, here is how a .spdx files looks like:

And here is what I think we should be able to produce:

SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: VTK
DocumentNamespace: https://gitlab.kitware.com/vtk/vtk/
Creator: Person: ?
Creator: Tool: ?
Creator: Tool: ?
Created: ?

##### Package: IOEnsight

PackageName: IOEnsight
SPDXID: SPDXRef-Package-IOEnsight
PackageDownloadLocation: git+https://https://gitlab.kitware.com/vtk/vtk/#IO/Ensight
FilesAnalyzed: ?
PackageVerificationCode: ?
PackageLicenseConcluded: $computed from info below$
PackageLicenseInfoFromFiles: $computed from licenses declared in files$
PackageLicenseDeclared: $provided by vtk.module$
PackageCopyrightText: $provided by vtk.module$

Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-IOEnsight

FileName: /build/libvtkIOEnsight.so
SPDXID: SPDXRef-Package-IOEnsight-binary
FileType: BINARY
FileChecksum: SHA1: ?
FileChecksum: SHA256: ?
FileChecksum: MD5: ?
LicenseConcluded: $Same as PackageLicenseConcluded above$
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION

FileName: /src/IO/Ensight/vtkEnsightReader.cxx
SPDXID: SPDXRef-Package-IOEnsight-src
FileType: SOURCE
FileChecksum: SHA1: ?
FileChecksum: SHA256: ?
FileChecksum: MD5: ?
LicenseConcluded: $from file spdx header$
LicenseInfoInFile: $from file spdx header$
FileCopyrightText: $from file spdx header$

FileName: /src/IO/Ensight/vtkEnsightReader.h
SPDXID: SPDXRef-Package-IOEnsight-header
FileType: SOURCE
FileChecksum: SHA1: ?
FileChecksum: SHA256: ?
FileChecksum: MD5: ?
LicenseConcluded: $from file spdx header$
LicenseInfoInFile: $from file spdx header$
FileCopyrightText: $from file spdx header$

Relationship: SPDXRef-Package-IOEnsight-binary GENERATED_FROM SPDXRef-Package-IOEnsight-header
Relationship: SPDXRef-Package-IOEnsight-binary GENERATED_FROM SPDXRef-Package-IOEnsight-src

I did not include information about the build tool (CMakeLists, vtk.module), but this would still be possible I suppose.

This is very rough for now, but let me know your thoughts.