SBOM/SPDX Generation: Add in LicenseRef info for licenses which are not recognized by SPDX (OASIS-IPR)

The sbom.spdx for corePKCS11 fails the SPDX validation check because OASIS-IPR is not a valid SPDX License

This commit changes the following output to convert it to a LicenseRef and fix the validation check.

$ diff -u sbom-original.spdx sbom-fixup.spdx
--- sbom-original.spdx	2024-03-29 09:46:53.203092500 -0400
+++ sbom-fixup.spdx	2024-03-29 09:48:03.900301885 -0400
@@ -340,8 +340,8 @@
 SPDXID: SPDXRef-Package-pkcs11
 PackageVersion: v2.40_errata01
 PackageDownloadLocation: https://github.com/amazon-freertos/pkcs11.git
-PackageLicenseDeclared: OASIS-IPR
-PackageLicenseConcluded: OASIS-IPR
+PackageLicenseDeclared: LicenseRef-OASIS-IPR
+PackageLicenseConcluded: LicenseRef-OASIS-IPR
 PackageLicenseInfoFromFiles: NOASSERTION
 FilesAnalyzed: True
 PackageVerificationCode: 0c50b69c6789adbc08378264ec75fa6e6a616364
@@ -1848,3 +1848,7 @@

 Relationship: SPDXRef-Package-corePKCS11 DEPENDS_ON SPDXRef-Package-pkcs11
 Relationship: SPDXRef-Package-corePKCS11 DEPENDS_ON SPDXRef-Package-mbedtls
+
+LicenseID: LicenseRef-OASIS-IPR
+LicenseName: OASIS-IPR
+ExtractedText: <text>OASIS-IPR</text>

Author: timesys-nathan

sbom-generator/scan_dir.py

@@ -10,6 +10,13 @@
 REPO_PATH = ''
 SOURCE_PATH = ''
 
+def needs_licenseref(license):
+    #SPDX license list can be found at https://spdx.org/licenses/
+    not_in_spdx = ["OASIS-IPR"]
+    if license in not_in_spdx:
+        return True
+    return False
+
 def scan_dir():
     dependency_path = os.path.join(REPO_PATH, 'source/dependency')
     path_3rdparty = os.path.join(REPO_PATH, 'source/dependency/3rdparty')
@@ -20,6 +27,7 @@ def scan_dir():
     total_file_list = []
     dependency_info = {}
     dependency_file_list = {}
+    licenseref_info = ""
     with open(manifest_path) as f:
         manifest = yaml.load(f, Loader=SafeLoader)
     root_license = manifest['license']
@@ -111,7 +119,17 @@ def scan_dir():
         if library_name == root_name:
             continue
         info = dependency_info[library_name]
-        package_writer(output, library_name, info['version'], info['repository']['url'], info['license'], package_hash(dependency_file_list[library_name]))
+
+        #Is this license part of the SPDX license list?  If not, then we need to use LicenseRef for proper SPDX validation
+        if needs_licenseref(info['license']):
+            license = "LicenseRef-" + info['license']
+            licenseref_info += "\nLicenseID: LicenseRef-%s\n" % info['license']
+            licenseref_info += "LicenseName: %s\n" % info['license']
+            licenseref_info += "ExtractedText: <text>%s</text>\n" % info['license']
+        else:
+            license = info['license']
+
+        package_writer(output, library_name, info['version'], info['repository']['url'], license, package_hash(dependency_file_list[library_name]))
         output.write(output_buffer[library_name].getvalue())
 
     #print relationships
@@ -120,6 +138,10 @@ def scan_dir():
             continue
         output.write('Relationship: SPDXRef-Package-' + manifest['name'] + ' DEPENDS_ON SPDXRef-Package-' + library_name + '\n')
 
+    #print any LicenseRef info
+    if licenseref_info != "":
+        output.write(licenseref_info)
+
 if __name__ == "__main__":
     parser = ArgumentParser(description='SBOM generator')
     parser.add_argument('--repo-root-path',