Add licenses to SBOM reports

We already have a feature to generate Cyclone DX SBOMS for GitLab projects. These reports could be enhanced with data about licenses detected for the reported dependencies.

Proposal

CycloneDX comes with a specification for sharing licenses as part of its format. It is usually based on the SPDX license list but we probably don't report with a 100% match on this list (do we @gonzoyumo?).

In the case where the license isn't strictly matching one in the SPDX list, we need to provide a license URL.