SBOM/SPDX Generation: Add in LicenseRef info for licenses which are not recognized by SPDX (OASIS-IPR)

[timesys-nathan]

The sbom.spdx for corePKCS11 fails the SPDX validation check because OASIS-IPR is not a valid SPDX License

SPDX License list: https://spdx.github.io/spdx-spec/v2.3/SPDX-license-list

The correct way of solving this is by using a LicenseRef-
See: https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/#101-license-identifier-field

An example of how the LicenseRef is used is here:
https://github.com/spdx/spdx-examples/blob/master/software/example6/spdx2.2/example6-bin.spdx#L20C47-L20C57

This commit changes the following output to convert it to a LicenseRef and fix the validation check.

$ diff -u sbom-original.spdx sbom-fixup.spdx
--- sbom-original.spdx	2024-03-29 09:46:53.203092500 -0400 +++ sbom-fixup.spdx	2024-03-29 09:48:03.900301885 -0400 @@ -340,8 +340,8 @@
 SPDXID: SPDXRef-Package-pkcs11
 PackageVersion: v2.40_errata01
 PackageDownloadLocation: https://github.com/amazon-freertos/pkcs11.git
-PackageLicenseDeclared: OASIS-IPR
-PackageLicenseConcluded: OASIS-IPR
+PackageLicenseDeclared: LicenseRef-OASIS-IPR
+PackageLicenseConcluded: LicenseRef-OASIS-IPR
 PackageLicenseInfoFromFiles: NOASSERTION
 FilesAnalyzed: True
 PackageVerificationCode: 0c50b69c6789adbc08378264ec75fa6e6a616364
@@ -1848,3 +1848,7 @@

 Relationship: SPDXRef-Package-corePKCS11 DEPENDS_ON SPDXRef-Package-pkcs11
 Relationship: SPDXRef-Package-corePKCS11 DEPENDS_ON SPDXRef-Package-mbedtls
+
+LicenseID: LicenseRef-OASIS-IPR
+LicenseName: OASIS-IPR
+ExtractedText: <text>OASIS-IPR</text>

Tool used to validate: https://github.com/spdx/tools-java/releases/tag/v1.1.8

$ java -jar ../tools/tools-java-1.1.8/tools-java-1.1.8-jar-with-dependencies.jar Verify sbom-original.spdx
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details.
This SPDX Document is not valid due to:
Relationship at line 1850 invalid: Invalid license id 'OASIS-IPR'.  Must start with 'LicenseRef-' and made up of the characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', '.', and '-'. in pkcs11
Relationship at line 1850 invalid: License not found for OASIS-IPR in pkcs11
Package at line 11 invalid: Relationship error: Invalid license id 'OASIS-IPR'.  Must start with 'LicenseRef-' and made up of the characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', '.', and '-'. in pkcs11 in corePKCS11 in corePKCS11
Package at line 11 invalid: Relationship error: License not found for OASIS-IPR in pkcs11 in corePKCS11 in corePKCS11
Package at line 339 invalid: Invalid license id 'OASIS-IPR'.  Must start with 'LicenseRef-' and made up of the characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', '.', and '-'. in pkcs11
Package at line 339 invalid: License not found for OASIS-IPR in pkcs11
Relationship error: Relationship error: Invalid license id 'OASIS-IPR'.  Must start with 'LicenseRef-' and made up of the characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', '.', and '-'. in pkcs11 in corePKCS11 in corePKCS11 in corePKCS11
Relationship error: Relationship error: License not found for OASIS-IPR in pkcs11 in corePKCS11 in corePKCS11 in corePKCS11

$ java -jar ../tools/tools-java-1.1.8/tools-java-1.1.8-jar-with-dependencies.jar Verify sbom-fixup.spdx
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details.
This SPDX Document is valid.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.