chore: fix cyclonedx helper logic per PR comments

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

syft/formats/common/cyclonedxhelpers/licenses.go

@@ -74,82 +74,51 @@ func separateLicenses(p pkg.Package) (spdx, other cyclonedx.Licenses, expression
 	otherc := cyclonedx.Licenses{}
 	ex := make([]string, 0)
 	/*
-			pkg.License can be a couple of things:
-			- Complex SPDX expression
-			- Some other Valid license ID
-			- Some non standard non spdx license
+		pkg.License can be a couple of things:
+		- Complex SPDX expression
+		- Some other Valid license ID
+		- Some non-standard non spdx license
 
-			To determine if an expression is a singular ID we first run it against the SPDX license list.
+		To determine if an expression is a singular ID we first run it against the SPDX license list.
 
 		The weird case we run into is if there is a package with a license that is not a valid SPDX expression
-			and a license that is a valid complex expression. In this case we will surface the valid complex expression
-			as a license choice and the invalid expression as a license string.
+		and a license that is a valid complex expression. In this case we will surface the valid complex expression
+		as a license choice and the invalid expression as a license string.
 
 	*/
-	// dedupe spdxlicenseID
-	seen := make(map[string]bool)
+
 	for _, l := range p.Licenses.ToSlice() {
 		// singular expression case
 		if value, exists := spdxlicense.ID(l.SPDXExpression); exists {
 			// we do 1 license -> many URL in our internal model
-			// this fans out different URL to single cyclone licenses
+			// this fans out to an individual cyclonedx license per URL
 			if !l.URL.Empty() {
-				for _, url := range l.URL.ToSlice() {
-					if url != "" {
-						spdxc = append(spdxc, cyclonedx.LicenseChoice{
-							License: &cyclonedx.License{
-								ID:  value,
-								URL: url,
-							},
-						})
-						continue
-					}
-					spdxc = append(spdxc, cyclonedx.LicenseChoice{
-						License: &cyclonedx.License{
-							ID: value,
-						},
-					})
-					continue
-				}
-			}
-			if _, exists := seen[value]; exists {
+				spdxc = buildCycloneDxLicenseWithURL(spdxc, l)
 				continue
 			}
+
+			// different case where we have a valid spdx license but no URLs
 			spdxc = append(spdxc, cyclonedx.LicenseChoice{
 				License: &cyclonedx.License{
 					ID: value,
 				},
 			})
-			seen[value] = true
 			continue
 		}
+
+		// COMPLEX EXPRESSION CASE
 		if l.SPDXExpression != "" {
-			// COMPLEX EXPRESSION CASE: do we instead break the spdx expression out
-			// into individual licenses OR combine singular licenses into a single expression?
 			ex = append(ex, l.SPDXExpression)
 			continue
 		}
 
 		// license string that are not valid spdx expressions or ids
 		if !l.URL.Empty() {
-			for _, url := range l.URL.ToSlice() {
-				if url != "" {
-					otherc = append(otherc, cyclonedx.LicenseChoice{
-						License: &cyclonedx.License{
-							Name: l.Value,
-							URL:  url,
-						},
-					})
-					continue
-				}
-				otherc = append(otherc, cyclonedx.LicenseChoice{
-					License: &cyclonedx.License{
-						Name: l.Value,
-					},
-				})
-			}
+			otherc = buildCycloneDxLicenseWithURL(otherc, l)
 			continue
 		}
+
+		// url set empty so just add the license string as a new choice
 		otherc = append(otherc, cyclonedx.LicenseChoice{
 			License: &cyclonedx.License{
 				Name: l.Value,
@@ -159,6 +128,20 @@ func separateLicenses(p pkg.Package) (spdx, other cyclonedx.Licenses, expression
 	return spdxc, otherc, ex
 }
 
+// fan out single syft license into multiple cyclonedx licenses for each url
+func buildCycloneDxLicenseWithURL(l cyclonedx.Licenses, syftLicense pkg.License) cyclonedx.Licenses {
+	for _, url := range syftLicense.URL.ToSlice() {
+		l = append(l, cyclonedx.LicenseChoice{
+			License: &cyclonedx.License{
+				ID:  syftLicense.Value,
+				URL: url,
+			},
+		})
+	}
+
+	return l
+}
+
 func mergeSPDX(ex []string, spdxc cyclonedx.Licenses) string {
 	var candidate []string
 	for _, e := range ex {