bug(cyclonedx): incorrect field for licenses

## Description
CycloneDX supports 3 possible fields for licenses:
1. multiple licenses by ID - https://cyclonedx.org/docs/1.6/json/#tab-pane_components_items_licenses_oneOf_i0_items_license_oneOf_i0
2. multiple licenses by Name - https://cyclonedx.org/docs/1.6/json/#tab-pane_components_items_licenses_oneOf_i0_items_license_oneOf_i1
3. SPDX license expression - https://cyclonedx.org/docs/1.6/json/#tab-pane_components_items_licenses_oneOf_i1

We added handaling for SPDX licenses - #8077.
But we don't use similar logic for CycloneDX reports.
We use 2 way (licenses by Name) for all licenses:
https://github.com/aquasecurity/trivy/blob/454b8940986645de8fccc9e7b57db0deb600adaa/pkg/sbom/cyclonedx/marshal.go#L290-L292

But there are case when this is incorrect:
1. when license is SPDX license ID, but we use `name` instead of `id`
2. when license is SPDX expression (see #9033).

### Solution
We need to parse each got license before insert in in CycloneDX report:
1. for single license:
   1.2. check that this is SPDX license. Use `ID` field for SPDX license and `name` for another license.
2. for multiple licenses
   2.1. Use `SPDX expression` for valid SPDX expression
   2.2.for other cases split licenses and use `name`/`id` field for each license 

### Discussed in https://github.com/aquasecurity/trivy/discussions/9033

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

bug(cyclonedx): incorrect field for licenses #9042

Description

Solution

Discussed in #9033

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	License: &cdx.License{
	Name: license,
	},

bug(cyclonedx): incorrect field for licenses #9042

Description

Description

Solution

Discussed in #9033

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions