Proposal to add a packaging metdata license requirement

[hyandell]

Addition Suggestion

CISA's new proposed minimal sbom elements shows they intend to require SBOMs contain licensing elements. I would recommend adding a 1st or 2nd level Baseline along the lines of:

OSPOS-LE-04.01: When package formats support it, machine-readable licensing metadata (e.g. SPDX Expressions) must be present in package metadata files (e.g. pom.xml, package.json. setup.py).

[funnelfiasco]

I don't think this is in scope for a security baseline, but we need to resolve #403 and then we can come back to this discussion.