`convert` command incorrectly converts license values

[vargenau]

What happened:

syft convert hello.spdx -o cyclonedx-json=hello.cdx.json
syft convert hello.cdx.json -o spdx-tag-value=hello-converted.spdx

hello.spdx.txt hello.cdx.json.txt hello-converted.spdx.txt

SPDX is invalid:

pyspdxtools -i hello-converted.spdx
ERROR:root:There have been issues while parsing the provided document:
Element Package is not the current element in scope, probably the expected tag to start the element (PackageName) is missing. Line: 14
Element Package is not the current element in scope, probably the expected tag to start the element (PackageName) is missing. Line: 15
Element Package is not the current element in scope, probably the expected tag to start the element (PackageName) is missing. Line: 16
Element Package is not the current element in scope, probably the expected tag to start the element (PackageName) is missing. Line: 17

(Edit: this has been broken off into #3067 )

Also, hello.spdxhas:

PackageLicenseConcluded: MIT
PackageLicenseDeclared: GPL-3.0-or-later OR MIT

This becomes in hello-converted.spdx:

PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: (GPL-3.0-or-later OR MIT) AND MIT

What you expected to happen:

The SPDX file should be valid SPDX. (Edit: this has been broken off into #3067 )

I am not a CycloneDX expert, but from my understanding, CycloneDX cannot make the difference between declared and concluded licences, so it cannot store both. So it is OK to have

PackageLicenseConcluded: NOASSERTION

But

PackageLicenseDeclared: (GPL-3.0-or-later OR MIT) AND MIT

is clearly incorrect.

Steps to reproduce the issue:

See above

Anything else we need to know?:

Environment:

• Output of syft version: syft 0.92.0
• OS (e.g: cat /etc/os-release or similar): MacOS 13.6

[wagoodman]

This seems to be two unrelated things:

• license declared vs concluded fields are crossing paths during the format encode/decode path (maybe somewhere in here https://github.com/anchore/syft/blob/main/syft/format/common/spdxhelpers/license.go)
• we need to support missing source objects in the decode/encode path (such that no top-level package gets created). This is closely related to the minimum NTIA elements work in progress https://github.com/anchore/syft/milestone/3 . What's missing from that work is to consider if convert should also be included in the new proposed configuration items (such that the package would be dropped, missing values filled in with stubs, or something else).

We should consider splitting this into separate issues if they are not tacked at the same time.

[wagoodman]

I've carved off the package name consideration into a new issue #3067 and left this issue to describe only the license problems being described.