[spdx] Replace CMake variables in vcpkg_download_distfile()

[Thomas1664]

Partially fixes microsoft/vcpkg#44188
Fixes microsoft/vcpkg#44040

[Thomas1664]

@BillyONeal I'm not sure how to handle the path issue:

From microsoft/vcpkg#44188 (comment):

Also, Paths are also invalid:

"fileName": ".//home/igor/development/vcpkg/vcpkg_original/ports/bzip2/bzip2.pc.in",

The code expects relative paths:

vcpkg-tool/src/vcpkg/spdx.cpp

Lines 381 to 386 in d034830

	const auto& path = relative_paths[i];
	const auto& hash = hashes[i];
	auto& obj = files.push_back(Json::Object());
	obj.insert(SpdxFileName, "./" + path.generic_u8string());
	const auto ref = fmt::format("SPDXRef-file-{}", i);

but we feed in absolute paths by including the port directory:

vcpkg-tool/src/vcpkg/commands.build.cpp

Line 1247 in d034830

const auto& abs_port_file = files.emplace_back(port_dir / port_file);

vcpkg-tool/src/vcpkg/commands.build.cpp

Line 1331 in d034830

abi_info.relative_port_files = std::move(files);

vcpkg-tool/src/vcpkg/commands.build.cpp

Lines 934 to 938 in d034830

	fs.write_contents_and_dirs(
	json_path,
	create_spdx_sbom(
	action, abi.relative_port_files, abi.relative_port_hashes, now, doc_ns, std::move(heuristic_resources)),
	VCPKG_LINE_INFO);

However, I think we should be using absolute paths because we might lose the information of where a file comes from in case of overlay ports.

On the other hand, absolute paths are invalid after downloading from a binary cache on different machines.

[BillyONeal]

On the other hand, absolute paths are invalid after downloading from a binary cache on different machines.

Right, this is why the paths have to be relative.

However, I think we should be using absolute paths because we might lose the information of where a file comes from in case of overlay ports.

That's why the SHAs of the files are also in the SPDX. It isn't there's a hard link between any particular absolute path and anything else, any more than there is between that relative path and anything else.

[BillyONeal]

Can you add a test? Would merge this with one.

[Thomas1664]

Can you add a test? Would merge this with one.

Hi @BillyONeal,

I added a unit test to check the correct replacement of ${VERSION} in all CMake functions and to ensure that all instances of those functions are found.

As you proposed, I didn't fix the absolute path issue mentioned in microsoft/vcpkg#44188. Therefore, plese don't close that issue yet - I will fix the absolute path issue in a different PR.