Conversion from SPDX leads to invalid SBOM due to empty licenses

[andreas-hilti]

• Download the SBOM from here: https://github.com/CycloneDX/cyclonedx-cli/network/dependencies
• Convert it to the CycloneDX format: cyclonedx.exe convert --input-format spdxjson --input-file CycloneDX_cyclonedx-cli_3fc5de.json --output-format json --output-file CycloneDX_cyclonedx-cli_3fc5de_out.json
• Run a validate: cyclonedx-win-x64.exe validate --input-file CycloneDX_cyclonedx-cli_3fc5de_out.json

Leads to

Validation failed:
Expected 1 matching subschema but found 0
http://cyclonedx.org/schema/bom-1.6.schema.json#/definitions/licenseChoice
On instance: /components/0/licenses:
[
        {}
      ]
[...]
Required properties ["license"] are not present
http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/0/items
On instance: /components/0/licenses/0:
{}
Required properties ["expression"] are not present
http://cyclonedx.org/schema/bom-1.6.schema.json#/oneOf/1/items/0
On instance: /components/0/licenses/0:
{}
[...]
Unable to validate against any JSON schemas.
BOM is not valid.

because the converted BOM has many instances of

      "licenses": [
        {}
      ],

(The fact that licenses are not converted is a different story, but it should at least result in a valid BOM.)