cdx2spdx doesn't handle "LicenseRef" license IDs properly

[fschoenm]

I tried to convert a CycloneDX file that contains some non-SPDX-compliant licenses that were already called "LicenseRef-Proprietary" in the CDX file. cdx2spdx (version 0.1.5) seems to not handle that situation well because it prefixes it with another "LicenseRef". Maybe it could check if the license name is already SPDX-compliant.

This is part of the output (see the duplicate "LicenseRef" prefix):

  "packages" : [ {
    "SPDXID" : "SPDXRef-pkg-conan-[...]",
    "annotations" : [ {
      "annotationDate" : "2024-10-18T13:45:42Z",
      "annotationType" : "OTHER",
      "annotator" : "Tool: CycloneToSpdx",
      "comment" : "MISSING_CDX_PROPERTY:componentType=\"LIBRARY\""
    } ],
    "copyrightText" : "NOASSERTION",
    "description" : "[...]",
    "downloadLocation" : "NOASSERTION",
    "externalRefs" : [ {
      "referenceCategory" : "PACKAGE-MANAGER",
      "referenceLocator" : "pkg:conan/[...]",
      "referenceType" : "purl"
    } ],
    "filesAnalyzed" : false,
    "licenseConcluded" : "NOASSERTION",
    "licenseDeclared" : "LicenseRef-LicenseRef-Proprietary",
    "name" : "[...]",
    "originator" : "Person: [...]",
    "primaryPackagePurpose" : "LIBRARY",
    "supplier" : "Organization: [...]",
    "versionInfo" : "0.3.1"
  }, {

[goneall]

Thanks @fschoenm - agree with your suggestion. I'm working on upgrading the utility to support the SPDX 3.0 spec - after that, I'll look into implementing your suggestion.