Multiple licenses as string instead of list

[dariozachow]

What happened:

When using syft to create a sbom containing the npm package https://www.npmjs.com/package/type-fest, the license entry contains one entry instead of two. Furthermore the value and spdxExpression for this licenseentry are both licenses concatenated with OR. This makes displaying the values and spdxExpression harder.

SBOM output:

"licenses": [ { "value": "(MIT OR CC0-1.0)", "spdxExpression": "(MIT OR CC0-1.0)", "type": "declared", "urls": [], "locations": [ { "path": "/package-lock.json", "accessPath": "/package-lock.json", "annotations": { "evidence": "primary" } } ] }

What you expected to happen:

I would expect two license entries, each containing one license, in this cases MIT and CCO-1.0

Steps to reproduce the issue:

1. Have a node project with type-fest as an dependency
2. Run syft syft scan . -o json=syft.sbom.json --select-catalogers "+sbom-cataloger"
3. search for type-fest in sbom

Anything else we need to know?:

Environment:

• Output of syft version: syft 1.16.0
• OS (e.g: cat /etc/os-release or similar): System Version: macOS 15.1 (24B83) Kernel Version: Darwin 24.1.0