Plugin does not gracefully handle present, but empty license data

[rmartine-ias]

So I know this is a bit of an edge case. We generate BOMs with this plugin (version 2.7.9), merge them with cyclonedx-cli, and a third-party service validates them. For some dependencies, we're using an older version that does not specify the license correctly. Validation fails. Here is one of the offending dependencies, at the offending version: https://github.com/aliyun/aliyun-openapi-java-sdk/blob/5f06fdae064c6f87fc9494894a8ef849557f99c8/aliyun-java-sdk-ram/pom.xml#L41

Their pom.xml looks like this:

  <licenses>
    <license>
      <name/>
      <url/>
      <distribution/>
    </license>
  </licenses>

Which this plugin generates to:

      "licenses" : [
        {
          "license" : {
            "name" : ""
          }
        }
      ],

Which, while technically valid per the spec, is not what I would expect, and causes problems with other tools.

A low-impact fix could be something like "if no fields on the license are specified, or all specified fields are empty, then treat the license as if it does not exist." Then this plugin would output this for the dependency: "licenses" : [] and everything would work out.

[hboutemy]

detecting such empty data to better represent it at CycloneDX level looks reasonable

target would probably be https://github.com/CycloneDX/cyclonedx-maven-plugin/blob/master/src/main/java/org/cyclonedx/maven/DefaultModelConverter.java#L212

anyone to try to help and code this, please?

[fupgang]

Just provided PR #573 to fix this.

This issue bothered us using the openapi-generator.
One can produce pom.xml with incomplete license information using, see its tempalte

https://github.com/OpenAPITools/openapi-generator/blob/e9ea12f25a17f1b307b7400d00cf5b643440ad1e/modules/openapi-generator/src/main/resources/Java/pom.mustache#L24-L30