Fix --validate-spdx option

[hesa]

Currently the option --validate-spdx checks if the licenses are known to [license_expression](https://github.com/nexB/license-expression), which is the same database of licenses as [ScanCode LicenseDB](https://scancode-licensedb.aboutcode.org/.

Instead, a check against should be implemented

• https://spdx.org/licenses/
• https://spdx.org/licenses/exceptions-index.html