Unable to upload SBOM with Custom license & combination of know license

[Gowtham-Rangasamy]

Hello Everyone,

I have recently configured the Dependency track for our Organization to identify the Vulnerabilities in all our Product at the enterprise level.
We have around 1600+ repositories, We have automated SBOM upload into Dependency track. Now we are facing issue in the identification of Vulnerabilities and License values are not getting populated under any repo.

On Checking further identified that there is an issues with SBOM format which is being used. Converting to Cyclone DX format from Github SPDX format using CycloneDX Cli.
Dependency track is unable to identify the License which are Custom and combination of Licenses like mentioned below.

• AFL-2.1 OR BSD-3-Clause
• AFL-2.1 OR BSD-3-Clause OR (AFL-2.1 AND BSD-3-Clause)
• Apache-2.0 OR BSD-2-Clause OR MIT OR (Apache-2.0 AND BSD-2-Clause) OR (Apache-2.0 AND MIT) OR (BSD-2-Clause AND MIT)
• Apache-2.0 OR MIT
• BSD-2-Clause AND ISC
• BSD-3-Clause OR MIT OR (BSD-3-Clause AND MIT)
• CC0-1.0 AND MIT
• CC-BY-3.0 AND MIT
• LicenseRef-scancode-dco-1.1 AND MIT
• LicenseRef-scancode-generic-cla AND MIT
• LicenseRef-scancode-unknown
• MIT AND OFL-1.1
• MIT OR BSD-3-Clause
• MIT OR WTFPL OR (MIT AND WTFPL)
• Unlicense
  Is there any XML format or structure needs to be updated.
  Please find the sample component block for your reference.
  
  bootstrap
  5.3.5
  
  
  CC-BY-3.0 AND MIT
  
  
  Copyright (c) 2011-2025 The Bootstrap Authors, Copyright 2011-2025 The Bootstrap Authors, copyright 2011-2025 the Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors), Copyright 2011-2025 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors)
  
  
  NOASSERTION
  
  
  
  SPDXRef-npm-bootstrap-5.3.5-d2bba5
  false
  CC-BY-3.0 AND MIT
  pkg:npm/[email protected]
  NOASSERTION