Revisit/fix/update SPDX SBOM output

[mxmehl]

The REUSE tool currently generates a SPDX software bill of materials only in the SPDX-2.1 format. As an example, I attached the output of reuse spdx of this repository. There are a number of issues:

1. SPDX-2.3 is the current version.
2. Somehow, the FileCopyrightText do not look right, especially when using the SPDX-FileCopyrightText tags.
3. It might make sense to follow the minimal set of requirements of the NTIA which officially accepted SPDX as one way to create SBOMs. @kestewart may help here.

It seems we generate this document manually in spdx.py and report.py. Perhaps there is some spdx library that we can use?

Also, generating an optional JSON/YAML version would be great.

[mxmehl]

If we want to use the SPDX python tools as a dependency, it'd be great to have them packaged for Debian first, as mentioned in spdx/tools-python#201.

[rpavlik]

I wouldn't wait for packaging, packaging a pypi module is quite easy. I'd volunteer if I didn't already have too many things to do... (And I'm not a DD so it would need a sponsor anyway). I'm any case, reuse itself isn't packaged I don't think, so no big deal.

[carmenbianca]

FileCopyrightText do not look right

Related to #947

[RomainBrault]

Any update on this ? Tools like pyspdxtools complains about 2.1 being not supported.

ERROR:root:This tool only supports SPDX versions SPDX-2.2 and SPDX-2.3, but got: SPDX-2.1

I would be great to have 2.3 and 3.X support.

[kikofernandez]

I think reuse is great. The only issue is that the sbom generation is not NTIA compliant (tool here), which means we cannot use its generated SBOM. Apart from that, all looks great:

ntia-checker --file reuse.spdx 
Generating LALR tables

Is this SBOM NTIA minimum element conformant? False

Individual elements                            | Status
-------------------------------------------------------
All component names provided?                  | True
All component versions provided?               | True
All component identifiers provided?            | True
All component suppliers provided?              | True
SBOM author name provided?                     | True
SBOM creation timestamp provided?              | True
Dependency relationships provided?             | False

The provided document is not valid according to the SPDX specification. The following errors were found:

only SPDX versions "SPDX-2.2" and "SPDX-2.3" are supported, but the document's spdx_version is: SPDX-2.1
There are issues concerning the SPDX version of the document. As subsequent validation relies on the correct version, the validation process has been cancelled.