Normalizer MUST assert LicenseExpression xor DisjunctiveLicense* #602
Description
based on https://github.com/CycloneDX/specification/blob/1.4/schema/bom-1.4.xsd#L1398-L1408
a licenses list must be either exactly one expression, or any amount of license.
expression is to be preferred (arguably)
Current data model allwes a mix like
<licenses>
<license><id>MIT</id></license>
<expression>MIT OR Apache-2.0</expression>
<license><name>something</name></license>
</licenses>
but it must be either
<licenses>
<license><id>MIT</id></license>
<license><name>something</name></license>
</licenses>
OR
<licenses>
<expression>MIT OR Apache-2.0</expression>
</licenses>
... for JSON it is equally a thing ...