Inconsistency of declared-licenses_processed in result.yml and reports like Webapp / evaluated-model.json

[MNesche]

Describe the bug

If there is multiple declared licenses in a package, separated by comma, the result.yml of ORT declares an OR-Operator in declared_licenses_processed.
The report of the same result file, overwrites this value and declares an AND-Operator instead.
This leads to unnecessary license incompatibilities.

To Reproduce

Steps to reproduce the behavior:

1. Do a full ORT run with a package that got multiple licenses declared, i.e. Maven:org.glassfish.jersey.core:jersey-common:3.0.15
   (Apache License, 2.0, EPL 2.0, Public Domain, The GNU General Public License (GPL), Version 2, With Classpath Exception)
2. Check the result.yml under declared_licenses_processed for this package.
   The value will be: "Apache-2.0 OR EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0 OR LicenseRef-scancode-public-domain-disclaimer"
3. Do a report as Webapp or evaluated-model.json
4. See the Licenses for this package.
   The value will be: "Apache-2.0 AND EPL-2.0 AND LicenseRef-scancode-public-domain-disclaimer AND GPL-2.0-only WITH Classpath-exception-2.0"

Expected behavior

Same as in the result.yml, otherwise it's not consistent if the result.yml is the leading part in case of license declaration.
Apache-2.0 OR EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0 OR LicenseRef-scancode-public-domain-disclaimer

Console / log output

result.yml:

    - id: "Maven:org.glassfish.jersey.core:jersey-common:3.0.15"
      purl: "pkg:maven/org.glassfish.jersey.core/[email protected]"
      authors:
      - "Eclipse Foundation"
      - "Oracle Corporation"
      declared_licenses:
      - "Apache License, 2.0"
      - "EPL 2.0"
      - "Public Domain"
      - "The GNU General Public License (GPL), Version 2, With Classpath Exception"
      declared_licenses_processed:
        spdx_expression: "Apache-2.0 OR EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0\
          \ OR LicenseRef-scancode-public-domain-disclaimer"

evaluated-model.json:

    "id" : "Maven:org.glassfish.jersey.core:jersey-common:3.0.15",
    "is_project" : false,
    "definition_file_path" : "",
    "purl" : "pkg:maven/org.glassfish.jersey.core/[email protected]",
    "authors" : [ "Eclipse Foundation", "Oracle Corporation" ],
    "declared_licenses" : [ 41, 30, 44, 47 ],
    "declared_licenses_processed" : {
      "spdx_expression" : "Apache-2.0 AND EPL-2.0 AND LicenseRef-scancode-public-domain-disclaimer AND GPL-2.0-only WITH Classpath-exception-2.0",

Environment

Output of the ort requirements -l commands command:

<copy & paste console output to here; no screenshots please>

Or manually specify:

• ORT version: 30.0.0 but tested also with 42.0.0
• Java version: 21
• OS: Windows

And specify (relevant parts of) your ORT configuration (config.yml):

nothing specific

Additional context

In this file, there's a statement, why the Operator should be an OR instead of an AND:

ort/plugins/package-managers/maven/src/main/kotlin/utils/MavenParsers.kt

Lines 204 to 205 in dbca2e0

	// See http://maven.apache.org/ref/3.6.3/maven-model/maven.html#project which says: "If multiple licenses
	// are listed, it is assumed that the user can select any of them, not that they must accept all."