bom.1.2.json

I tried using this tool to decode the attached SBOM file, however it gave me the incorrect licence information.
"licenses": [ { "license": { "id": "MIT" }, "license": { "name": "BSD-3-Clause" }, "license": { "id": "0BSD" }, "license": { "name": "WTFPL" }, "license": { "id": "CC0-1.0" } } ],

I anticipated receiving 5 licences again for this licence block, but it only returned 1 one.

@jkowalleck This BOM seems to have been generated by the Composer module. This looks invalid to me:

"licenses": [
    {
        "license": {
            "id": "MIT"
        },
        "license": {
            "name": "BSD-3-Clause"
        },
        "license": {
            "id": "0BSD"
        },
        "license": {
            "name": "WTFPL"
        },
        "license": {
            "id": "CC0-1.0"
        }
    }
],

Duplicate keys (license) in JSON objects is ambiguous and cyclonedx-go cannot know which one is the correct one. In any case I'd argue that cyclonedx-go behaves as expected in only returning a single license, given this input.

@aharal HOW did you generate this json file?
Could you provide a reproducible setup or step-by-step instructions?

PS: here is the expected data set: https://github.com/CycloneDX/cyclonedx-php-composer/blob/master/demo/laravel-7.12.0/results/bom.1.2.json#L27-L40

Closing as the SBOM has been modified manually and is now invalid. Thanks @jkowalleck for confirming.

@aharal, have a look at the schema documentation for how multiple licenses may be provided: https://cyclonedx.org/docs/1.2/json/#components_items_licenses_items_license

Thank you for the clarification.