Make known-unknowns more clear in the reports

[rnjudge]

Describe the Feature
In a discussion with @vargenau and his colleague, they mentioned that it would be nice to know known-unknowns in a container. This information is available from Tern but can sometimes be buried in the report. Proposal to make this information more clear.

Use Cases
When individuals are inventorying containers it is helpful to understand the limits of Tern's analysis so that users can know what further analysis needs to be done.

Implementation Changes
Changes to the output reporting. Perhaps a list of known unknowns in the default report? Also changing the wording in other report formats to make it more clear that further analysis is required. currently Tern reports say: Unknown content included in layer {files}. Please analyze these files separately or Unknown content. Additional analysis may be required

@vargenau thoughts on this? What would be most helpful/clear?

[vargenau]

Hi @rnjudge,

Thank you for taking our request under consideration.

Currently, the messages are put in the PackageComment of each affected package.
It would be better to have them grouped in a separate section at the beginning of the SPDX file.

It could be:

• in the DocumentComment field,
• or in the PackageComment of the top-level package.

I would keep them also in the affected packages.