A customer is asking to extend SBOMs beyond their original goal of NTIA and executive order compliance. Apparently, own product and dependencies need to be have license and copyright statement.

copyright statement can be deduced automatically, so there must be some file that we can hardcode this information in.

License (as SPDX-id) can in theory be deduced by github APIs

Here is the rough plan -
the "machine-readable" file will be yaml-formatted. It consists of a yaml-list. i.e items starting with <dash>-name, every items has a couple of keys, license and maybe "copyright" if known, but also information we hardcoded elsewhere, e.g CPE identifier, or publisher. a cmake parser function will convert the list and they keys into a set of cmake variables, e.g THIRD_PARTY_ZLIB_LICENSE will be taken from

 -zlib

    license:GPL2