Support all allowed SPDX output formats

[stefan6419846]

Short Description

Scancode Toolkit should support all allowed SPDX output formats.

Possible Labels

• new feature
• sbom

Select Category

• [x] Enhancement
• [ ] Add License/Copyright
• [ ] Scan Feature
• [ ] Packaging
• [ ] Documentation
• [ ] Expand Support
• [x] Other

Describe the Update

At the moment, the default SPDX output options are limited to Tag/Value and RDF, while version 2.2.2 allows at least JSON, XML and YAML as well: https://spdx.github.io/spdx-spec/v2.2.2/conformance/#44-standard-data-format-requirements (It mentions Excel spreadsheets as well, but I do not really have a use case for it.)

How This Feature will help you/your organization

SPDX uses a standardized file format supported by many application. I consider JSON and YAML more readable than Tag/Value or RDF.

Possible Solution/Implementation Details

Add output support for JSON, XML and YAML.

[mjherzog]

The SPDX output options should also specify the SPDX version - I am not sure whether the current output is for SPDX 2.2 or 2.3.

[mjherzog]

See also https://github.com/aboutcode-org/scancode-toolkit/issues/3698

[stefan6419846]

According to the code, the current version is SPDX 2.2: https://github.com/aboutcode-org/scancode-toolkit/blob/6e4293750b1b2d9104ee621335dc113d1b27b4b6/src/formattedcode/output_spdx.py#L185 https://github.com/aboutcode-org/scancode-toolkit/blob/6e4293750b1b2d9104ee621335dc113d1b27b4b6/src/formattedcode/output_spdx.py#L215 It seems like I can change the parameter to whatever I want with the only effect being that the header field is different, while apparently ignoring all specific aspects of the corresponding version.