Adding SPDX support to E2E verifiers

[sajayantony]

We have been discussing adding SPDX to the verifier chain for sometime now.

Thanks to @rnjudge for pointing me to @developer-guy's change - open-policy-agent/conftest#636

@etrexel you had evaluated an option for SPDX before. Do you think this would make things easier?

[sajayantony]

#111

[etrexel]

I've implemented a POC verifier here that parses an SPDX file and validates the licenses: https://github.com/etrexel/spdx-verifier-go. It still needs a little work to the license filtering to conform to the SPDX spec, but gives a basic idea of how this could work. I will start wrapping it in the Ratify verifier skeleton so that I can test it in the framework.