Hoppr-Merge Invalid Merge Strategy

Description

I have 2 SBOMs that are valid on their own (1 generated by Trivy, 1 by SYFT). When hoppr-merge creates a merged SBOM, it creates an invalid SBOM by combining licenses of different formats. This breaks the CycloneDx 1.5 spec which has a one of relationship on licenses.

What did you expect to happen?

Creation of a valid merged sbom.

What happened instead?

Creation of an invalid sbom that cannot be processed with hoppr-cop.

Output of `hopctl version`:

1.11.4

Additional details (purl types in sboms, example manifest, and transfers.yml):

The invalid merged field

"licenses": [
        {
          "license": {
            "name": "Apache-2.0 OR BSD-3-Clause"
          }
        },
        {
          "expression": "Apache-2.0 OR BSD-3-Clause"
        }
      ],

Edited Feb 20, 2024 by Bryan Conn