CycloneDX License Encoding

[spiffcs]

What would you like to be added: PR https://github.com/anchore/syft/pull/1743 changes how syft processes license encoding for the cycloneDX format.

If syft finds "other licenses", licenses that are not a valid SPDX Expression or in the SPDX license list for a given package, then it generates a list of cyclonedx.Licenses where any single valid spdx ID is it's own license, the "other licenses" are their own license, and any complex expression lifted from the source is slotted under the Name field of an individual cyclonedx license

If no other licenses are found syft merges single ID and expressions into a single SPDX expression under the expression cyclonedx field

This issue is to resolve the case where multiple complex SPDX expressions are lifted from a source along with "other licenses" - given the below test case - it's unclear if we want to drop the "other license" in favor of a merge OR parse the complex expressions into individual licenses.

{
    name: "multiple complex SPDX license expression and a non spdx id",
    input: pkg.Package{
        Licenses: []pkg.License{
            {
                SPDXExpression: "MIT AND GPL-3.0-only",
            },
            {
                SPDXExpression: "MIT AND GPL-3.0-only WITH Classpath-exception-2.0",
            },
            {
                Value: "FOOBAR",
            },
        },
    },
    expected: &cyclonedx.Licenses{
        {
            Expression: "(MIT AND GPL-3.0-only) AND (MIT AND GPL-3.0-only WITH Classpath-exception-2.0)",
        },
    },
},

Why is this needed: Better license encoding from syft sbom --> CycloneDX format

[wagoodman]

it's unclear if we want to drop the "other license" (FOOBAR in this case)

I feel that we should never drop this kind of information. Assuming that's true, does that mean this is the answer?

(MIT AND GPL-3.0-only) AND (MIT AND GPL-3.0-only WITH Classpath-exception-2.0) AND FOOBAR