Question about how cdxgen resolves licenses

[evgovch-tf]

TL;DR: Why does cdxgen discard all resolved license IDs/names when license expressions are found?

According to CycloneDX 1.5 and 1.6 JSON format, "licenses" field must be ONE (exclusive 'or') of the two:

1. A list of SPDX and/or named licenses:

       {
          "license": {
              "id": SPDX license ID
              ...
          }
       }
   

   or

       {
           'license': {   
               'name': license name if SPDX does not define license used
               ...
           }
       }
   

2. ONE SPDX license expression:

    {
       'expression': SPDX license expression (may be compound)
    }
   

I saw, cdxgen tries to comply to this format as follows.

• [step 1]. For each found dependency, find its license candidates.
• [step 2] Try to resolve each license candidate to a SPDX license ID/name or compound SPDX license expression: https://github.com/CycloneDX/cdxgen/blob/master/lib/helpers/utils.js#L924-L962
• [step 3] Generate "licenses" field (https://github.com/CycloneDX/cdxgen/blob/master/lib/helpers/utils.js#L882-L909):
  - [step 3.a] If there are any SPDX license expressions resolved: combine them to one compound license expression ("license_exp1 OR license_exp2 OR..."). All resolved license IDs/names are discarded.
  - [step 3.b] If there are no SPDX license expressions resolved, make a list of "license" elements as described in CycloneDX format.

I'm curious why cdxgen discards license IDs/names when license expression is detected. This question is inspired by the following example.

docutils 0.19 has the following license info on PyPI (pypi.org/pypi/docutils/0.19/json):

"License :: OSI Approved :: BSD License","License :: OSI Approved :: GNU General Public License (GPL)","License :: OSI Approved :: Python Software Foundation License","License :: Public Domain"
and
"license":"public domain, Python, 2-Clause BSD, GPL 3 (see COPYING.txt)"

• [step 1] cdxgen detects these license candidates and generates the list
      

• [step 2] cdxgen resolves this list of license candidates to the list of license IDs/names and license expressions

     [
         {
             'license': {
                 'id': '0BSD'
                 'url': 'https://opensource.org/licenses/0BSD'
             }
         },
         {
             'license': {
                 'id': 'GPL-1.0-only'
                 'url': 'https://opensource.org/licenses/GPL-1.0-only'
             }
         },
         {
             'license': {
                 'id': 'PSF-2.0'
                 'url': 'https://opensource.org/licenses/PSF-2.0'
             }
         },
         {
             'expression': 'Public Domain'
         },
         {
             'expression': 'public domain, Python, 2-Clause BSD, GPL 3 (see COPYING.txt)'
         }
     ]
  

• [step 3.a] There are license expressions. So, cdxgen combines them into the following result in the generated SBOM. License IDs 0BSD, GPL-1.0-only and PSF-2.0 are not used.

[prabhu]

Sounds like a good improvement. Could you kindly share a PR to also include the resolved license ids?