While migrating cargo-cyclonedx to use the cyclonedx-bom library, we discovered that several Rust libraries have data in the license field of the Cargo.toml that is not a valid SPDX expression. The Cargo documentation for the field indicates that crates.io will interpret the field as an SPDX expression. From reading their source code, they accept a / character as OR, even though that is not a strict adherence to the specification.

Additionally, since the SPDX requirement is for packages published to crates.io, it is possible to use the license field in a different way when publishing to a private registry.

Acceptance Criteria

• Fall back to lenient parsing to interpret / as OR (and also the GPL + setting for consistency with the Rust ecosystem)
  • Add logging so we can inform the user that we interpreted the license expression on their behalf
  • Convert the license to a valid form so that other tools can parse it without issue
• If it is not parseable as an SPDX expression, fall back to creating it as a named license