Prefer repository license if it doesn't match package license

[andrew]

Before Christmas I was investigating with @tieguy the situation where a license is declared in a manifest file like package.json which is different from the license declared in LICENSE.

https://twitter.com/teabass/status/943093483228880898

This appears to happen when the package manager adds a license to the manifest file automatically and it's never fixed to match the actual license of the source code.

So in certain cases, when normalizing the license on a project I think we should prefer the repository license if:

• the repository is present and declares a valid SPDX license string
• the package has zero or one valid SPDX license declared
• the package license does not match the repository license

Note: This is a bit of a stop-gap until we actually start inspecting the source code of published packages