anthonyharrison
commented
1 week ago Thanks @georgkoester. I was aware that the handling of multiple licences needed some attention but with the support for SPDX licence expressions now supported, I think this will be become the preferred approach of specifying multiple licences.
I will merge the pull request but will raise a new issue to make the changes to both the SPDX and CycloneDX generators to handle multiple licences.
Many packages are subject to multiple licenses, e.g. Debian OS packages, and other long-lived packages. To analyse the license situation this information is important. Just using the first license in the list often yields quite wrong results, such as only showing a documentation license instead of a GPL license.