JSON and XML schemas differ for licenses

[madpah]

As noted in CycloneDX/cyclonedx-python-lib#365, there is a discrepancy between JSON and XML schemas for CycloneDX v1.4 with how licenses are defined.

JSON
licenses is an Array of either expression or license - i.e. 0 or more expression or 0 or more license see here

XML
licenses is an complex type defined as either 0 or more license OR 0 or 1 expression see here

[jkowalleck]

@pombredanne taught me, that a license list's order is important, and that a license list is not a "any of these" choice but has other juridical implications.
So I understood, that a SPDX license expression is superior, as it knows "AND"/"OR" logic and exclusions.

This gave me the impression, that there should be EITHER an expression OR a list of licenses.
So I see the XML as the definition of my desire. SO I'd propose to "fix" the JSON.

To "fix" the JSON, we would define licenses as a choice of

• Array of 0 to n license items
• Array of exactly one expression element`

i'll draft a change request soon, to showcase the solution, so we could discuss the implications.

PS: proposed fix: #205

[jkowalleck]

i will close this issue, as it will be fixed in upcoming v1.5 -- see #205