gather license evidence

[jkowalleck]

Is your feature request related to a problem? Please describe.

packages manifests may declare package licenses. some license declarations are no final license texts, but templates - like "MIT".
Therefore, it is required to collect license evidences from packages. a first step would be: colect relevant files.

Describe the solution you'd like

add a CLI flag --gather-license-evicences or something, and collect relevant license files.

see similar implementations:

• FEAT: Option to add license text to BOM output cyclonedx-webpack-plugin#676 & also find *.license files as evidence cyclonedx-webpack-plugin#1321

Describe alternatives you've considered

Additional context

composer manifests dont have a field for relevant files.so gathering the files manually would be required.

license evidences are to be not confused with declared or concluded licenses!