License Alias feature

[bluthen]

I've ran into many projects where the license doesn't match up with what you have in licenses.json. Stuff like Apache2 instead of Apache-2.0. Apache2 is not very specific in case there is a minor version difference later, so maybe it isn't a good idea to have these aliases in licenses.json by default but perhaps it could be an option in .sandworm.config.json

"license_aliases": {
    "Apache-2.0": ["Apache2", "Apache 2.0", "apache2"],
   "CC-BY-4.0": ["CC-BY-4"]
}

Allowing people to do this can be dangerous, they have to accept the risk of what they are doing. It is risky to just allow "BSD" for example because of the version with the advertising clause https://www.gnu.org/licenses/bsd.en.html But I feel it isn't as risky to do Apache2.

I also admit some of this may go away if there was license file checking, rather than just looking at the package.json license string. I imagine there would be another issue type added "License file does not match license in package.json" in which case alias could even more useful.

[gabidobo]

Thank you, @bluthen!

Let's see how people feel about this.

I tend to worry about adding features that allow project owners to weaken their security process. Until we have deep license file scanning, I feel issues like these are better addressed individually by verifying the actual license file content and adding a resolution to resolved-issues.json. Once we support wildcard versions #94 this should be less of a nuisance, since you won't have to do it for every package update.

[gabidobo]

Although - I see the value in allowing users to define their own license categories (as proposed in #93), which would be a step in this direction 🤔