bug(cyclonedx): Trivy adds license ID/name and SPDX expression simultaneously for one component

[DmitriyLewen]

Description

License array should contains (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) (see https://cyclonedx.org/docs/1.6/json/#components_items_licenses)

But Trivy may include both types.
e.g.:

        {
          "expression": "GPL-3.0-or-later WITH Texinfo-exception"
        },
        {
          "license": {
            "id": "GFDL-1.3-or-later"
          }
        },

Discussed in #9295

[nick1989Gr]

I am getting also an occurrence that looks like this:

     "licenses": [
        {
          "license": {
            "name": "GPL-3.0-or-later AND GPL-3.0-or-later WITH exceptions AND GPL-2.0-or-later WITH exceptions AND LGPL-2.0-or-later AND BSD-3-Clause"
          }
        }
      ],

So basically using the multiple licenses object and misussing the name to add a license expression instead of just a license name.

[dmpe]

I can also confirm this. As a result, our Nexus IQ pipeline has stopped working as we are using always latest trivy :) Had to downgrade to 0.64.1. for now.
My educated guess would be that the change come from #9042. Maybe @DmitriyLewen you could take a look please?

When using cyclonedx CLI tool, the newly created SBOM is also shown to be invalid.

Example:

Suppressed: org.cyclonedx.exception.ParseException: Line: 1, Column: 2, Path: $.components[280].licenses, Error: index '12' is not defined in the schema and the schema does not allow additional items

[DmitriyLewen]

Hello @nick1989Gr
GPL-3.0-or-later WITH exceptions is invalid SPDX Expression.
SPDX exception list doesn't have exceptions exception.
That is why we can't use license expression field.
This is not SPDX ID.
So we can use only License.Name field.

@dmpe I am working on this.