[BUG] SBOM generation for SPDX generates invalid format for licenses - `Invalid type. Expected: string, given: object`

[jamietanna]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

The generated SPDX SBOM cannot be parsed by tools, as it generates incorrectly structured JSON.

Expected Behavior

An SPDX v2.3 SBOM generated from a repository can be parsed correctly.

Steps To Reproduce

1. Clone https://gitlab.com/tanna.dev/renovate-graph
2. Run npm sbom --sbom-format spdx > spdx.json
3. Run through an SPDX validator i.e. go run github.com/CycloneDX/sbom-utility@latest validate --input-file spdx.json

renovate-graph.spdx.json

Environment

• npm: 10.2.3
• Node.js: v18.17.1
• OS Name: Linux
• System Model Name:
• npm config:

; "user" config from /home/jamie/.npmrc

//registry.npmjs.org/:_authToken = (protected) 

; node bin location = /usr/bin/node
; node version = v18.17.1
; npm local prefix = /home/jamie/workspaces/renovate-graph
; npm version = 10.2.3
; cwd = /home/jamie/workspaces/renovate-graph
; HOME = /home/jamie
; Run `npm config ls -l` to show all defaults.

[jamietanna]

Relevant JSON schema for the licenseDeclared property

[jamietanna]

I've raised #6969 which should resolve this 🤞