Proper value to set in licenses annotation for licenses not in the SPDX License List

[berney]

I want to know the correct value to set in the org.opencontainers.image.licenses label when the license is not in the SPDX License List.

I have an image that I want the license to be "Commons Clause based of LGPL-2.1" to match the license on a dependency (out-of-my-control). Where Commons Clause is https://commonsclause.com/.

annotations.md states:

org.opencontainers.image.licenses License(s) under which contained software is distributed as an SPDX License Expression.

My understanding of SPDX License Expressions is they can refer to other licenses like this LicenseRef-EternalSurrender, but if I set the label to LicenseRef-Commons-Clause-LGPL-2.1, this reference should be defined somewhere, but where? Another label, if so with what name?

Commons Clause was rejected by SPDX to be added as a license because it didn't met their inclusion requirements guidelines. And it generally modifies a license. SPDX didn't add it to the Exceptions list either, because they only want to add things that remove requirements not things that add more restrictions. So "LGPL-2.1 WITH Commons Clause" isn't a valid SPDX License Expression.

I know I can set the value to any string, and not strictly follow either standard. As for the OCI Image Spec and SPDX I think this scenario is either undefined, or I don't understand the specifications properly. I'd like to know how to annotation properly for licenses / conditions that aren't defined in SPDX, basically how to do external references in a correctly conforming way.