fix(sbom): handle SPDX expression licenses in extract_licenses (#1898)

CycloneDX allows licenses as either {"license": {"id": "..."}} or
{"expression": "MIT OR Apache-2.0"}. The expression form was silently
dropped, producing an empty license field in the CSV output.

Author: mesutoezdil

deploy/sbom/sbom_to_csv.py

@@ -23,8 +23,11 @@ def extract_licenses(component: dict) -> str:
     licenses = component.get("licenses", [])
     ids = []
     for entry in licenses:
-        lic = entry.get("license", {})
-        ids.append(lic.get("id") or lic.get("name", ""))
+        if "expression" in entry:
+            ids.append(entry["expression"])
+        else:
+            lic = entry.get("license", {})
+            ids.append(lic.get("id") or lic.get("name", ""))
     return " | ".join(filter(None, ids))