Support license names in License metadata

[mykter]

Is your feature request related to a problem? Please describe.

I think the fix to #692 led to a regression in our license detection experience. With the latest cycloned-python many of our dependencies now have licenses that look like this:

        {
          "license": {
            "name": "declared license of 'package'",
            "text": {
              "content": "MIT License",
              "contentType": "text/plain"
            }
          }
        }

My reading of #692 is that this is an issue with these packages not using this field correctly?

Describe the solution you'd like

Support libraries that use the field in this way, as there are a lot of them. Specifically, check if the declared license is a license name, and if it is, use it as the name (or better yet convert it to a license ID if it's an exact match).

Some example packages include: google, google-cloud, boto3, beautifulsoup4, pyarrow. There are many more.

Describe alternatives you've considered

Post-processing to make the same change on the sbom after cyclonedx-python has generated it.

[jkowalleck]

My reading of #692 is that this is an issue with these packages not using this field correctly?

the current solution is exactly as it should be, per python packaging specs. see https://packaging.python.org/en/latest/specifications/core-metadata/#license

python packages declare their licenses' information. This might be a complete license text, or any information that is to be interpreted by lawyers, including calling out a specific license by SPDX License ID.
In contrast, some Classifiers/Troves are mapped to individual SPDX License IDs. In such cases, the declared license is explicit.

Support libraries that use the field in this way, as there are a lot of them. Specifically, check if the declared license is a license name, and if it is, use it as the name (or better yet convert it to a license ID if it's an exact match).

How would a tool be able to legally alter the declared license in any way?
The current licenses are the actual ones stated by the python package.

see also:

• feat: enable PEP639 per default  #575
• https://peps.python.org/pep-0639/

[jkowalleck]

task for myself: have a reproducible example with boto3==1.34.154

they have the following PKG-INFO:

Metadata-Version: 2.1
Name: boto3
Version: 1.34.154
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
License: Apache License 2.0
Project-URL: Documentation, https://boto3.amazonaws.com/v1/documentation/api/latest/index.html
Project-URL: Source, https://github.com/boto/boto3
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Natural Language :: English
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Requires-Python: >= 3.8
Provides-Extra: crt
License-File: LICENSE
License-File: NOTICE

remark:

• they use an unprecise license classifgier/trove,
• they have a license name declared
  • which could be read as the well-known license "Apache 2.0"
  • which is not an SPDX ID -- which would be derived as Apache-2.0
• they have license files declared and shipped.