SBOM export incorrectly converts license.name to license.id causing validation failures

Summary

During SBOM export, license.name fields are being incorrectly converted to license.id fields, causing CycloneDX schema validation failures. This prevents successful dependency list exports for projects using container scanning.

Steps to reproduce

1. Run container scanning that generates an SBOM with licenses containing non-SPDX identifiers in the license.name field
2. Attempt to export the dependency list via the API
3. The export fails with validation errors like:

   property '/components/X/licenses/0/license/id' is not one of: [list of valid SPDX identifiers]

Current behavior

• Container scanning SBOMs with license.name fields (containing non-SPDX identifiers like bitstream-vera, Public-Domain, OpenGroup-BSD-like) are ingested successfully
• During export, these license.name values are incorrectly converted to license.id fields
• The export fails CycloneDX schema validation because these non-SPDX identifiers are not valid for the license.id field

Expected behavior

• license.name fields should remain as license.name during export
• Only valid SPDX identifiers should be placed in license.id fields
• The exported SBOM should pass CycloneDX schema validation

Root cause

The issue appears to be caused by this line introduced in !200685 (merged), which incorrectly maps license.name to license.id.

Impact

• Large customers cannot export dependency lists when using container scanning
• SBOM exports fail validation against CycloneDX schema
• Workarounds require stripping license information entirely

Related issues

• Original customer issue: gitlab-com/request-for-help#3297
• Related to SPDX expression support: &16801

Versions affected

• GitLab 18.3.0 and later (after !200685 (merged) was merged)