evaluator: Introduce the option to evaluate a licenseRule for all license sources at once

[fviernau]

See individual commits.

This is howit looks if new API is used. But migration is not necessary as its backwards compatible, it
also shows how to combine sources for one rule: oss-review-toolkit/ort-config#370.

Here you can see how the combined license soure violation is rendered in static-html reports:

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.43%. Comparing base (08e631b) to head (72fa425).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main   #11154   +/-   ##
=========================================
  Coverage     57.43%   57.43%           
- Complexity     1701     1703    +2     
=========================================
  Files           346      346           
  Lines         12845    12845           
  Branches       1222     1222           
=========================================
  Hits           7378     7378           
  Misses         4994     4994           
  Partials        473      473           

Flag	Coverage Δ
funTest-external-tools	13.66% <ø> (ø)
funTest-no-external-tools	31.07% <ø> (+0.09%)	⬆️
test-ubuntu-24.04	42.46% <ø> (ø)
test-windows-2025	42.44% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sschuberth]

I like the general idea of this change.

[sschuberth]

Nit: I'm unsure about the "to evaluate the license for" part. No one forces the rule to actually look at / evaluate the license sources. I think it should rather say "The sources where this particular license was found".

[fviernau]

I believe "The sources where this particular license was found" is mis-leading:

1. The above resolvedLicense.source is actually the set of sources
   where the license was found.
2. And licenseSources in fact are the
   sources which shall be considered by the license rule.

Does this make more sense now?

[sschuberth]

Do we even need this configurability? Why not make the new the default, and require rule users to manually create multiple violations from this rule (one violation per source) if needed?

[fviernau]

This is needed for:

1. Backwards compatibility
2. I believe separate violations per source to be very valuable and should be still supported in
   the same simple way as before.

[sschuberth]

Personally, I would be fine with omitting this and having a breaking change, and clearly documenting the migration path as part of the release notes.

[fviernau]

Do you mean only this property, or the entire commit?

(Would you also be ok, with marking it as deprected now, and removing it later? This would allow a smooth transition outside of the critical path of upgrading ORT.)

[sschuberth]

Do you mean only this property, or the entire commit?

I was referring to the entire commit.

Would you also be ok, with marking it as deprected now, and removing it later?

Yes. I was just trying to say that this additional work would not be required from my side.

[fviernau]

I ended up not deprecating this property, because the separate per source evaluation / single source per license rule or violation is still a valid (and in my opinion even the preferred) use case. In that case using that property is a bit simpler.

[tsteenbe]

Agree with @fviernau we don't want to get rid of per license source evaluator per rule we just want to offer ORT user more power/flexibility to define rules that match their organization's open source policies.