Support SPDX license operators

[knqyf263]

Description

Currently, when Trivy's license scanner encounters SPDX license expressions with operators (e.g., "Apache-2.0 OR MIT"), it marks them as non-standard with unknown severity. This behavior doesn't accurately reflect the actual licensing status of packages, especially in ecosystems where dual licensing is common (e.g., Rust ecosystem often uses Apache-2.0/MIT dual licensing).

Proposed Solution

Implement a more sophisticated license expression parser that handles SPDX operators according to their semantic meaning:

• For "OR" operator:
  • Take the minimum severity among all licenses connected by OR
  • Example: If Package X is licensed under "Apache-2.0 OR MIT"
  • Result: Use the lower severity between Apache-2.0 and MIT
• For "AND" operator:
  • Take the maximum severity among all licenses connected by AND
  • Example: If Package Y is licensed under "GPL-3.0 AND LGPL-2.1"
  • Result: Use the higher severity between GPL-3.0 and LGPL-2.1

Discussed in #8148