fix(license): fix splitting licenses

[nikpivkin]

A string like BSD 3-Clause License or Apache License, Version 2.0 is split into BSD 3-Clause License or Apache License and Version 2.0, which is incorrect. This issue relates to the second problem of the discussion.

Discussed in #4261

^{Originally posted by 2020-ks March 10, 2023}

Description

I created sbom with CycloneDX by Trivy:

trivy -v image ## -f cyclonedx --output ##.json --timeout 10m --security-checks vuln --ignore-unfixed

The creation succeeded, but I noticed that license information of several components is missing or incorrect.

What did you expect to happen?

All detected components have license information.

What happened instead?

1.Missing

At least, license information of following components is missing.
networkx, zipp, filelock, typer, iniconfig, packaging, tomli, typing_extensions, importlib-metadata, idna

2.Incorrect

In addition, following license information is incorrect.
uritemplate

"licenses": [
{
"expression": "BSD 3-Clause License or Apache License"
},
{
"expression": "Version 2.0"
}
]

Output of run with -debug:

2023-03-10T11:44:50.440+0900    WARN    '--security-checks' is deprecated. Use '--scanners' instead.
2023-03-10T11:44:50.444+0900    DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-03-10T11:44:50.444+0900    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-03-10T11:44:50.448+0900    DEBUG   cache dir:  .../.cache/trivy
2023-03-10T11:44:50.448+0900    DEBUG   There is no valid metadata file: unable to open a file: open .../.cache/trivy/db/metadata.json: no such file or directory
2023-03-10T11:44:50.448+0900    INFO    Need to update DB
2023-03-10T11:44:50.448+0900    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-03-10T11:44:50.448+0900    INFO    Downloading DB...
2023-03-10T11:44:50.448+0900    DEBUG   no metadata file
35.94 MiB / 35.94 MiB [----------------------------------------------------------------------] 100.00% 7.10 MiB p/s 5.3s
2023-03-10T11:44:57.158+0900    DEBUG   Updating database metadata...
2023-03-10T11:44:57.158+0900    DEBUG   DB Schema: 2, UpdatedAt: 2023-03-10 00:13:33.078790601 +0000 UTC, NextUpdate: 2023-03-10 06:13:33.078790101 +0000 UTC, DownloadedAt: 2023-03-10 02:44:57.1583922 +0000 UTC
2023-03-10T11:44:57.158+0900    INFO    Vulnerability scanning is enabled
2023-03-10T11:44:57.158+0900    DEBUG   Vulnerability type:  [os library]
2023-03-10T11:44:57.278+0900    DEBUG   Saving the container image to a local file to obtain the image config...
2023-03-10T11:50:11.421+0900    DEBUG   Image ID: ...
2023-03-10T11:50:11.424+0900    DEBUG   Diff IDs: [...]
2023-03-10T11:50:11.425+0900    DEBUG   Base Layers: [....]
2023-03-10T11:50:11.601+0900    INFO    Detected OS: debian
2023-03-10T11:50:11.601+0900    INFO    Detecting Debian vulnerabilities...
2023-03-10T11:50:11.601+0900    DEBUG   debian: os version: 10
2023-03-10T11:50:11.601+0900    DEBUG   debian: the number of packages: 463
2023-03-10T11:50:11.868+0900    INFO    Number of language-specific files: 1
2023-03-10T11:50:11.869+0900    INFO    Detecting python-pkg vulnerabilities...
2023-03-10T11:50:11.870+0900    DEBUG   Detecting library vulnerabilities, type: python-pkg, path:

Output of trivy -v:

2023-03-10T11:52:10.011+0900    WARN    '--security-checks' is deprecated. Use '--scanners' instead.
2023-03-10T11:52:10.021+0900    INFO    Vulnerability scanning is enabled
2023-03-10T11:57:16.014+0900    INFO    Detected OS: debian
2023-03-10T11:57:16.016+0900    INFO    Detecting Debian vulnerabilities...
2023-03-10T11:57:16.250+0900    INFO    Number of language-specific files: 1
2023-03-10T11:57:16.251+0900    INFO    Detecting python-pkg vulnerabilities...

Additional details (base image name, container registry info...):

I attach sbom of components with problems
pip_sboms_with_problem.txt