Unify license mappings and make them configurable

[sschuberth]

ORT currently has multiple license mappings, of which only some are configurable:

1. SpdxSimpleLicenseMapping

• Map simple licenses or deprecated licenses (sometimes with license exceptions) to SpdxSingleLicenseExpression.
• Hard-coded, not configurable.
• Used mostly in DeclaredLicenseProcessor, but also in e.g. the FossId scanner.

2. SpdxDeclaredLicenseMapping

• Map declared licenses to SpdxExpression.
• Hard-coded, not configurable.
• Used exclusively in DeclaredLicenseProcessor.

3. detectedLicenseMapping

• Map SpdxExpressions from scanners.
• Configurable in the global config.yml.
• Originally introduced to correct licenses returned by FossId.

As far as unification is concerned, an open question is whether we need to / it still makes sense to distinguish between "simple" and "declared" license mappings. Further, does it make sense to have a different mapping for "detected" licenses (scanner phase) vs "declared" licenses (analyzer phase).

My currently thinking is that if scanner return non-SPDX licenses, ORT should turn these into LicenseRef-<scanner>-... licenses anyway, and when having such a prefix there would be no clash with declared licenses, meaning mappings of declared and detected licenses could be combined into a single (configurable) map (with safe defaults).

[sschuberth]

If mappings would be configurable, they should probably also be implemented as plugins, which in turn relates to https://github.com/oss-review-toolkit/ort/issues/10214.

[fviernau]

One thing with detected license mapping which might not have been considered: IIRC that mapping is applied and afterwards, the result of the mapping is stored in the scan results storage. As a consequence, strictly speaking any change in the mapping invalidates the stored scan results. It would be great to have this considered.