[SPDX][TV] SBOM value format is incorrect for LicenseName

[surendrapathak]

Summary

SPDX value format is missing or incorrect for LicenseName

LicenseName: UNKNOWN

Background

1. Download syft version 0.73.0
2. Generate sbom with syft packages {image}:{version} -o {syft_format} --file {out_file} for centos tag centos8.4.2105
3. Observe the following error:

SPDX value format is missing or incorrect for LicenseName

Expected behavior

LicenseName should be valid SPDX license, omitted, or have NOASSERTION

Screenshots

If applicable, add screenshots to help explain the problem.

Repository

Which repository causes this error?

• centos:centos8.4.2105

Additional Context

Optional - add any other context about the problem here.

Acceptance Criteria

The "done" criteria when this feature or problem is resolved. Such as:

1. Unit Tests added and running in CI
2. Functional Tests updated to cover feature, if applicable
3. Demonstrate the set of capabilities to the product team

References

Limited to SPDX.
Finder: sbomqs
SBOM: sbomlc-centos-centos

[kzantow]

@surendrapathak the LicenseName field is part of the Other Licenses section, and is used when licenses do not match SPDX license list names, I believe this is the correct usage of the field.

You will see that a package with this license has a LicenseRef, e.g.:

PackageLicenseConcluded: LicenseRef-UNKNOWN
PackageLicenseDeclared: LicenseRef-UNKNOWN

These fields either need to be valid SPDX License names, or use LicenseRefs pointing to licenses in the Other Licenses section. Syft is outputting LicenseRefs when the license expression doesn't match anything in the SPDX license list.

[surendrapathak]

Confirming this matches the spec. Thanks for checking it out, @kzantow . Closing as invalid.