SBOM Utility is not vaidating the SMAIL-GPL SPDX License

[nigellh]

I created a CDX 1.4 SBOM with the licenses for one package as

GPL-2.0-or-later, SMAIL-GPL, public-domain

These were broken up correctly into their separate licenses in the SBOM, but on importing the SBOM into DT it failed.

I ran a validation tool against it and it failed with (to summarize) SMAIL-GPL is not an SPDX license.

It is - https://spdx.org/licenses/SMAIL-GPL.html

It was introduced to the SPDX list in Oct 2024 and I am guessing that SBOM utility needs to be updated to accept it.

I changed the license to the primary one for this package:

GPL-2.0-or-later

and the SBOM validated and imported into DT.