Unknown license and download location information should be NOASSERTION instead of NONE in SPDX

[goneall]

Description

Per the spec - NONE should be used if there is a conclusion that no license or download location exists. In the case of missing metadata, NOASSERTION should be used since their very well could be a license or download location even though that information is not present in the metadata.

Example spec reference to the package concluded license.

Desired Behavior

When creating an SBOM with --format spdx-json, any data which is not present in the package metadata should have a value of NOASSERTION.

Actual Behavior

When creating an SBOM with --format spdx-json, any data which is not present in the package metadata a value of NONE. Is found.

Reproduction Steps

1. `trivy repo --scanners license --format spdx-json https://github.com/spdx/tools-golang`
1. Find the package named `github.com/davecgh/go-spew`
1. Produced: `"licenseConcluded": "NONE"` - expected `"licenseConcluded": "NOASSERTION"`

Target

None

Scanner

License

Output Format

SPDX

Mode

Standalone

Debug Output

2024-08-26T14:59:20-07:00       DEBUG   Cache dir       dir="C:\\Users\\gary\\AppData\\Local\\trivy"
2024-08-26T14:59:20-07:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-26T14:59:20-07:00       DEBUG   Ignore statuses statuses=[]
2024-08-26T14:59:20-07:00       DEBUG   [pkg] Package types     types=[library]
2024-08-26T14:59:20-07:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-08-26T14:59:20-07:00       INFO    [license] License scanning is enabled
2024-08-26T14:59:20-07:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-08-26T14:59:20-07:00       DEBUG   Initializing scan cache...      type="memory"
2024-08-26T14:59:22-07:00       DEBUG   Skipping path   path=".git"
2024-08-26T14:59:22-07:00       DEBUG   Loading the default license classifier...
2024-08-26T14:59:23-07:00       DEBUG   [golang] Unable to identify dependencies as it doesn't support Go modules     module="github.com/spdx/tools-golang"
2024-08-26T14:59:23-07:00       DEBUG   [golang] Unable to identify dependencies as it doesn't support Go modules     module="github.com/spdx/[email protected]"
2024-08-26T14:59:23-07:00       DEBUG   [golang] Unable to identify dependencies as it doesn't support Go modules     module="github.com/davecgh/[email protected]"
2024-08-26T14:59:23-07:00       DEBUG   [golang] Unable to identify dependencies as it doesn't support Go modules     module="github.com/pmezard/[email protected]"
2024-08-26T14:59:23-07:00       DEBUG   [golang] Unable to identify dependencies as it doesn't support Go modules     module="gopkg.in/[email protected]"
2024-08-26T14:59:23-07:00       DEBUG   OS is not detected.
2024-08-26T14:59:23-07:00       INFO    Number of language-specific files       num=1
2024-08-26T14:59:23-07:00       DEBUG   [vex] VEX filtering is disabled

### Operating System

Windows 11

### Version

```bash
dev (running source from the commit tag `v0.54.1`

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @goneall
Thanks for your help!

Created #7402

Regards, Dmitriy