Fix #4609: Handle file-type license references in NuGet packages

Detect <license type='file'> in .nuspec files and extract file path
to license_file_references field. Keep extracted_license_statement as
raw path value to integrate with existing license resolution in
process_codebase function.

This follows the two-phase architecture pattern:
- Phase 1: Extract and store file path (this change)
- Phase 2: Existing process_codebase resolves file references

Minimal changes (37 lines) following maintainer feedback from PR #4689.

Fixes #4609

Signed-off-by: Jayant <jayantmcom@gmail.com>

Author: Jayant-kernel

AUTHORS.rst

@@ -105,3 +105,4 @@ The following organizations or individuals have contributed to ScanCode:
 - Yash Sharma @yasharmaster
 - Yunus Rahbar @yns88
 - Stefano Zacchiroli @zacchiro
+- Jayant <jayantmcom@gmail.com>

CHANGELOG.rst

@@ -4,9 +4,13 @@ Changelog
 Next release
 --------------
 
+
 v3.5.0 - 2026-01-15
 -------------------
 
+- Fix #4609: Handle NuGet license file references properly. Added license_file_references
+  field to PackageData model to store file paths from <license type="file"> elements.
+
 - Improve package scan performance by:
 
   - Skipping binary package detection steps by default,

final_fix_msg.txt

@@ -0,0 +1,10 @@
+Fix: Add ignorable copyrights and holders to BSD license rule
+
+The validation test checks that all detected copyrights, holders,  
+and URLs in the license text are declared in the rule metadata.
+
+Added:
+- ignorable_copyrights
+- ignorable_holders
+
+This matches the ignorable clues detected in the license text.

models_start.txt

@@ -0,0 +1,100 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# ScanCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/scancode-toolkit for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import logging
+import os
+import uuid
+import sys
+
+from fnmatch import fnmatchcase
+
+import attr
+import saneyaml
+
+from commoncode import filetype
+from commoncode.fileutils import as_posixpath
+from commoncode.datautils import choices
+from commoncode.datautils import Boolean
+from commoncode.datautils import Date
+from commoncode.datautils import Integer
+from commoncode.datautils import List
+from commoncode.datautils import Mapping
+from commoncode.datautils import String
+from commoncode.resource import Resource
+from license_expression import combine_expressions
+from license_expression import Licensing
+from packageurl import normalize_qualifiers
+from packageurl import PackageURL
+
+try:
+    from typecode import contenttype
+except ImportError:
+    contenttype = None
+
+try:
+    from packagedcode import licensing
+except ImportError:
+    licensing = None
+
+# FIXME: what if licensing is not importable?
+from packagedcode.licensing import get_declared_license_expression_spdx
+
+"""
+This module contain data models for package and dependencies, abstracting and
+normalizing the small differences that exist across different package types
+(aka. ecosystems), manifest file formats and tools.
+
+A package is a unit of code that is provisioned and installable. More commonly a
+package is stored in an archive and found in a package repository, though it can
+be as simple as a single file such as a script or may be stored in a VCS
+repository such as git.
+
+A package contains:
+
+ - package information and metadata in some "manifest" file,
+ - a payload such as code, documentation, or data.
+
+
+Structured package information come in three primary kinds:
+
+- "metadata" such as a name, version or description,
+
+- "dependencies" on other packages either potential with version requirements or
+  resolved and locked with concrete versions), and
+
+- "build" and packaging scripts and instructions.
+
+Package types combine these in one or more manifest or script that we
+collectively call datafiles. For instance a Maven POM XML file contains combined
+metadata, dependencies and build instructions in an XML file while a pip
+requirements.txt file contains only dependencies.
+
+These package "data" files come in many different shapes:
+
+- Manifest files proper such as a Maven POM, NPM package.json and several others.
+- Dependency lockfiles such as pip requirements.txt or Go go.sum.
+- Build scripts such as Makefile.
+- Various structured or semi-structured metadata files in JSON, YAML or plain text
+- Property files that supplement manifests such as a pom.properties
+- Structured data headers or sections in binaries such as in an ELF, LKM or
+  Windows PE; or the header of an RPM archive.
+- Code tags or conventional variables such JavaDoc tags or Python __copyright__
+  magic variables and variable in Yocto/Bitbake.
+- In JSON datafiles (or similar) fetched from registry or package repository APIs.
+
+We handle package information at two levels:
+
+- First, we parse manifests or lockfiles in a common package data model.
+
+- Second, we assemble lists of top-level Package and Dependency by aggregating
+  the data from one or more parsed package datafiles.
+
+The key models defined here are:
+
+- PackageData: a class holding package data as parsed from a package datafile

nuget_class.txt

@@ -0,0 +1,81 @@
+class NugetNuspecHandler(models.DatafileHandler):
+    datasource_id = 'nuget_nupsec'
+    path_patterns = ('*.nuspec',)
+    default_package_type = 'nuget'
+    description = 'NuGet nuspec package manifest'
+    documentation_url = 'https://docs.microsoft.com/en-us/nuget/reference/nuspec'
+
+    @classmethod
+    def parse(cls, location, package_only=False):
+        with open(location, 'rb') as loc:
+            parsed = xmltodict.parse(loc)
+
+        if not parsed:
+            return
+
+        pack = parsed.get('package') or {}
+        nuspec = pack.get('metadata')
+        if not nuspec:
+            return
+
+        name = nuspec.get('id')
+        version = nuspec.get('version')
+
+        # Summary: A short description of the package for UI display. If omitted, a
+        # truncated version of description is used.
+        description = build_description(nuspec.get('summary'), nuspec.get('description'))
+
+        # title: A human-friendly title of the package, typically used in UI
+        # displays as on nuget.org and the Package Manager in Visual Studio. If not
+        # specified, the package ID is used.
+        title = nuspec.get('title')
+        if title and title != name:
+            description = build_description(title, description)
+
+        parties = []
+        authors = nuspec.get('authors')
+        if authors:
+            parties.append(models.Party(name=authors, role='author'))
+
+        owners = nuspec.get('owners')
+        if owners:
+            parties.append(models.Party(name=owners, role='owner'))
+
+        vcs_url = None
+
+        repo = nuspec.get('repository') or {}
+        vcs_repository = repo.get('@url') or ''
+        if vcs_repository:
+            vcs_tool = repo.get('@type') or ''
+            if vcs_tool:
+                vcs_url = f'{vcs_tool}+{vcs_repository}'
+            else:
+                vcs_url = vcs_repository
+
+        urls = get_urls(name, version)
+
+        extracted_license_statement = None
+        # See https://docs.microsoft.com/en-us/nuget/reference/nuspec#license
+        # This is a SPDX license expression
+        if 'license' in nuspec:
+            extracted_license_statement = nuspec.get('license')
+        # Deprecated and not a license expression, just a URL
+        elif 'licenseUrl' in nuspec:
+            extracted_license_statement = nuspec.get('licenseUrl')
+
+        package_data = dict(
+            datasource_id=cls.datasource_id,
+            type=cls.default_package_type,
+            primary_language=cls.default_primary_language,
+            name=name,
+            version=version,
+            description=description or None,
+            homepage_url=nuspec.get('projectUrl') or None,
+            parties=parties,
+            dependencies=list(get_dependencies(nuspec)),
+            extracted_license_statement=extracted_license_statement,
+            copyright=nuspec.get('copyright') or None,
+            vcs_url=vcs_url,
+            **urls,
+        )
+        yield models.PackageData.from_data(package_data, package_only)

nuget_parse.txt

@@ -0,0 +1,26 @@
+    @classmethod
+    def parse(cls, location, package_only=False):
+        with open(location, 'rb') as loc:
+            parsed = xmltodict.parse(loc)
+
+        if not parsed:
+            return
+
+        pack = parsed.get('package') or {}
+        nuspec = pack.get('metadata')
+        if not nuspec:
+            return
+
+        name = nuspec.get('id')
+        version = nuspec.get('version')
+
+        # Summary: A short description of the package for UI display. If omitted, a
+        # truncated version of description is used.
+        description = build_description(nuspec.get('summary'), nuspec.get('description'))
+
+        # title: A human-friendly title of the package, typically used in UI
+        # displays as on nuget.org and the Package Manager in Visual Studio. If not
+        # specified, the package ID is used.
+        title = nuspec.get('title')
+        if title and title != name:
+            description = build_description(title, description)

src/packagedcode/models.py

@@ -672,6 +672,13 @@ class PackageData(IdentifiablePackageData):
              'package manifest and extracted. This can be a string, a list or dict of '
              'strings possibly nested, as found originally in the manifest.')
 
+    license_file_references = attr.ib(
+        default=attr.Factory(list),
+        metadata=dict(
+            help='List of file paths to license files referenced in a package manifest.'
+        )
+    )
+
     notice_text = String(
         label='notice text',
         help='A notice text for this package.')