licenses: allow mix of multiple SPDX expressions AND multiple named/spdx licenses

[jkowalleck]

current situation (CDX 1.6):

• it is allowed to have EITHER one spdx license expression OR multiple named/spdx licenses. see spec
• each license(expression/named/spdx) can have a acknowledgement - none or "declared" or "concluded". see spec

problem

the current situation does not allow the following:

• situation A: multiple declared licenses ids (like in python license trove-classifiers) and one concluded expression
  • Declared spdx license id "MIT" - as set in the project manifest
  • Declared spdx license id "PostgreSQL" - as set in the project manifest
  • Declared named license "Apache Software License" - as set in the project manifest
  • License evidence from the README file: "chose the license that applies best to you: PostgreSql or MIT or Apache2"
  • Concluded spdx license expression license "(MIT OR PostgreSQL OR Apache-2.0)"
• situation B: declared expression and concluded expression
  • Delcared spdx expression "MIT OR (GPL-3.0 OR GPL-2.0)"
  • Concluded spdx expression "(GPL-3.0 OR LGPL-2.0)" - after some lawyer checked for actual applied situation (this is just an example for spec reasons, this is not a real-world law case!)
• situation C: declared expression and concluded spdx id
  • Declared spdx expression "GPL-3.0+ OR GPL-2.0"
  • Concluded spdx id "GPL-2.0+" - after some lawyer checked for actual applied situation (this is just an example for spec reasons, this is not a real-world law case!)

request

allow the following:

• multiple SPDX expressions at the same time
• allow mix of SPDX expression and other licenses at the same time