Lint: please add "detected-spdx-license-missmatch" linter

[xnox]

Description

Please add a new lint check. Use a license detector (for example https://github.com/go-enry/go-license-detector/tree/master) to detect the SPDX license of given package.

Compare it to the declared SPDX license. And raise a warning if they missmatch.

Allow humans to fix the license to match to the detected one. Or override the lint check with #nolint in case of confusing / undetectable licensing.

Real world example on a large code base

$ time license-detector /tmp/gcc-13.2.0
/tmp/gcc-13.2.0
	99%	GCC-exception-3.1
	99%	LGPL-2.1-only
	99%	deprecated_LGPL-2.1
	99%	LGPL-2.1-or-later
	99%	deprecated_LGPL-2.1+
	98%	deprecated_GPL-3.0-with-GCC-exception
	97%	deprecated_GPL-2.0+
	97%	GPL-2.0-or-later
	97%	GPL-2.0-only
	97%	deprecated_GPL-2.0

real	0m4.400s
user	0m5.240s
sys	0m0.171s

Declared license in the package

$ git grep license gcc.yaml
gcc.yaml:    - license: GPL-3.0-or-later

Which is incorrect.

[xnox]

Oh it can work on git repos too.... i wonder if i can just run that tool across all of wolfi and generate a report.