apps: migrate to SPDX identifier

[jerpelea]

Summary

Most tools used for compliance and SBOM generation use SPDX identifiers
This change brings us a step closer to an easy SBOM generation.

Impact

SBOM

Testing

CI

[nuttxpr]

[Experimental Bot, please feedback here]

No, this PR does not fully meet the NuttX requirements. While it touches upon some aspects, it lacks crucial details.

Here's a breakdown of what's missing:

• Summary: While the "why" is briefly addressed, the "what" and "how" are missing. Which tools? Which part of the code is changed to use SPDX identifiers? How are they integrated? Specifics are essential. Mention the related NuttX issue number if one exists.

• Impact: Saying "SBOM" is not enough. Address all impact points explicitly with "YES" or "NO" and provide details if "YES." For example:

  • Is new feature added? YES (SBOM generation facilitated)
  • Is existing feature changed? Potentially YES (depending on what was modified). Specify which feature.
  • Impact on user? Possibly YES or NO. Justify. Will users need to do anything differently?
  • Impact on build? Likely NO, but state explicitly.
  • Impact on hardware? Almost certainly NO, but state it.
  • Impact on documentation? Likely YES. New documentation may be required to explain how to generate the SBOM.
  • Impact on security? Potentially YES or NO. Justify your answer. Does adding SPDX identifiers introduce any vulnerabilities or improve security posture?
  • Impact on compatibility? Likely NO, but state it explicitly.

• Testing: "CI" is insufficient. List the specific build hosts and targets used for testing. Provide actual testing logs before and after the change, not just the word "CI." What tests demonstrate that the change works as intended? Show concrete output illustrating the improvement related to SBOM generation.

In short, the PR description needs significant expansion to meet the NuttX requirements. Be specific and thorough in all sections. Provide concrete examples and data.