docs: add note about license assertion

Signed-off-by: nscuro <nscuro@protonmail.com>

README.md

@@ -117,6 +117,14 @@ as subcomponents of their respective package. File versions follow the v0.0.0-SH
 where SHORTHASH is the first 12 characters of the file's SHA1 hash.
 Because files are subcomponents of packages, -files can only be used in conjunction with -packages.
 
+Licenses detected via -licenses flag will, per default, be reported as evidence.
+This is because it can not be guaranteed that the detected licenses are in fact correct.
+In case analysis software ingesting the BOM generated by this tool can not yet handle
+evidences, detected licenses may be asserted using the -assert-licenses flag.
+For documentation on the respective fields of the CycloneDX specification, refer to:
+  * https://cyclonedx.org/docs/1.4/json/#components_items_licenses
+  * https://cyclonedx.org/docs/1.4/json/#components_items_evidence_licenses
+
 Examples:
   $ GOARCH=arm64 GOOS=linux GOFLAGS="-tags=foo,bar" cyclonedx-gomod app -output linux-arm64.bom.xml
   $ cyclonedx-gomod app -json -output acme-app.bom.json -files -licenses -main cmd/acme-app /usr/src/acme-module
@@ -152,6 +160,14 @@ will be downloaded to the module cache using "go mod download".
 For the download of the main module to work, its version has to be provided
 via the -version flag.
 
+Licenses detected via -licenses flag will, per default, be reported as evidence.
+This is because it can not be guaranteed that the detected licenses are in fact correct.
+In case analysis software ingesting the BOM generated by this tool can not yet handle
+evidences, detected licenses may be asserted using the -assert-licenses flag.
+For documentation on the respective fields of the CycloneDX specification, refer to:
+  * https://cyclonedx.org/docs/1.4/json/#components_items_licenses
+  * https://cyclonedx.org/docs/1.4/json/#components_items_evidence_licenses
+
 Please note that data embedded in binaries shouldn't be trusted,
 unless there's solid evidence that the binaries haven't been modified
 since they've been built.
@@ -180,6 +196,14 @@ USAGE
 
 Generate SBOMs for modules.
 
+Licenses detected via -licenses flag will, per default, be reported as evidence.
+This is because it can not be guaranteed that the detected licenses are in fact correct.
+In case analysis software ingesting the BOM generated by this tool can not yet handle
+evidences, detected licenses may be asserted using the -assert-licenses flag.
+For documentation on the respective fields of the CycloneDX specification, refer to:
+  * https://cyclonedx.org/docs/1.4/json/#components_items_licenses
+  * https://cyclonedx.org/docs/1.4/json/#components_items_evidence_licenses
+
 Examples:
   $ cyclonedx-gomod mod -licenses -type library -json -output bom.json ./cyclonedx-go
   $ cyclonedx-gomod mod -test -output bom.xml ./cyclonedx-go
@@ -334,6 +358,11 @@ While `go-license-detector`'s license matching *may* be accurate most of the tim
 This is why detected licenses are included as [evidences](https://cyclonedx.org/news/cyclonedx-v1.3-released/#copyright-and-license-evidence), 
 rather than the `licenses` field directly.
 
+> Detected licenses may be *asserted* using the `-assert-licenses` flag. When provided,
+> *cyclonedx-gomod* will use the `licenses` field, instead of `evidences`. This can be
+> helpful when the generated BOM is pushed to an analysis tool that does not yet handle
+> evidences.
+
 ### Hashes
 
 *cyclonedx-gomod* uses the same hashing algorithm Go uses for its [module authentication](https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md#module-authentication-with).  

internal/cli/cmd/app/app.go

@@ -72,9 +72,17 @@ as subcomponents of their respective package. File versions follow the v0.0.0-SH
 where SHORTHASH is the first 12 characters of the file's SHA1 hash.
 Because files are subcomponents of packages, -files can only be used in conjunction with -packages.
 
+Licenses detected via -licenses flag will, per default, be reported as evidence.
+This is because it can not be guaranteed that the detected licenses are in fact correct.
+In case analysis software ingesting the BOM generated by this tool can not yet handle
+evidences, detected licenses may be asserted using the -assert-licenses flag.
+For documentation on the respective fields of the CycloneDX specification, refer to:
+  * https://cyclonedx.org/docs/1.4/json/#components_items_licenses
+  * https://cyclonedx.org/docs/1.4/json/#components_items_evidence_licenses
+
 Examples:
   $ GOARCH=arm64 GOOS=linux GOFLAGS="-tags=foo,bar" cyclonedx-gomod app -output linux-arm64.bom.xml
-  $ cyclonedx-gomod app -json -output acme-app.bom.json -files -licenses -main cmd/acme-app /usr/src/acme-module`,
+  $ cyclonedx-gomod app -json -output acme-app.bom.json -packages -files -licenses -main cmd/acme-app /usr/src/acme-module`,
 		FlagSet: fs,
 		Exec: func(_ context.Context, args []string) error {
 			if len(args) > 1 {

internal/cli/cmd/bin/bin.go

@@ -51,6 +51,14 @@ will be downloaded to the module cache using "go mod download".
 For the download of the main module to work, its version has to be provided
 via the -version flag.
 
+Licenses detected via -licenses flag will, per default, be reported as evidence.
+This is because it can not be guaranteed that the detected licenses are in fact correct.
+In case analysis software ingesting the BOM generated by this tool can not yet handle
+evidences, detected licenses may be asserted using the -assert-licenses flag.
+For documentation on the respective fields of the CycloneDX specification, refer to:
+  * https://cyclonedx.org/docs/1.4/json/#components_items_licenses
+  * https://cyclonedx.org/docs/1.4/json/#components_items_evidence_licenses
+
 Please note that data embedded in binaries shouldn't be trusted,
 unless there's solid evidence that the binaries haven't been modified
 since they've been built.

internal/cli/cmd/mod/mod.go

@@ -44,6 +44,14 @@ func New() *ffcli.Command {
 		ShortUsage: "cyclonedx-gomod mod [FLAGS...] [MODULE_PATH]",
 		LongHelp: `Generate SBOMs for modules.
 
+Licenses detected via -licenses flag will, per default, be reported as evidence.
+This is because it can not be guaranteed that the detected licenses are in fact correct.
+In case analysis software ingesting the BOM generated by this tool can not yet handle
+evidences, detected licenses may be asserted using the -assert-licenses flag.
+For documentation on the respective fields of the CycloneDX specification, refer to:
+  * https://cyclonedx.org/docs/1.4/json/#components_items_licenses
+  * https://cyclonedx.org/docs/1.4/json/#components_items_evidence_licenses
+
 Examples:
   $ cyclonedx-gomod mod -licenses -type library -json -output bom.json ./cyclonedx-go
   $ cyclonedx-gomod mod -test -output bom.xml ./cyclonedx-go`,