Spike: Update vendored spdx index or fetch it regularly from remote source

Time-box: 1 day

Proposal

The SPDX license list (https://spdx.org/licenses/) contains software licenses GitLab supports in several features related to License Compliance.

We have a scheduled worker (ImportSoftwareLicensesWorker) to fetch latest data from spdx.org but it has been actually "disabled" since 2020 when we added support for offline environments. This change has forced all instances to use the vendored copy of the SPDX index.

This was discovered recently when cleaning up an old feature flag: !139889 (merged)

This spike should establish whether or not it make sense to reinstate the remote fetch or if we cab stick to a regular update of the bundled file as part of the monthly release of GitLab.

• Source: https://spdx.org/licenses/licenses.json
• Currently vendored version: 3.10 (from Aug 3, 2020)
• Last published version: 3.22 (from Oct 5, 2023)

Releases seem to made on a quartely basis (roughly): https://github.com/spdx/license-list-data/releases

If the remote fetch is deemed unecessary we should probably cleanup the remaining code associated with the ImportSoftwareLicensesWorker.