SPDX validation: duplicate SPDX IDs when the same filename appears in multiple folders

[omonien]

Reported by: @mvandere (follow-up to #30, after #35 merged)

When running the generated SPDX-JSON through https://tools.spdx.org/app/validate/, the validator rejects the document:

```
org.spdx.tools.SpdxVerificationException: Analysis exception processing SPDX file: Duplicate SPDX ID: SPDXRef-Package-4dcompiler.exe
```

Root cause

The current SPDX writer derives `SPDXID` purely from the filename (`SPDXRef-Package-`). When the same filename appears in multiple paths (e.g. helper tools duplicated in `setup\, \tools\, \dist\`), all entries collide.

The SPDX spec requires each `SPDXID` to be unique within a document (`^SPDXRef-[a-zA-Z0-9.-]+$`).

Fix

Derive the SPDX ID from a stable, path-sensitive value, e.g.:

• Hash the artefact's `RelativePath` (short SHA1/CRC) and append it: `SPDXRef-Package--<8charhash>`, or
• Replace path separators in the relative path with a SPDX-legal character: `SPDXRef-Package-tools-libfoo.dll`.

The second form is more readable but only works if all chars in the path are SPDX-legal after substitution — needs an additional sanitize pass.

Acceptance criteria

• Two artefacts with the same basename but different relative paths produce distinct SPDX IDs.
• Generated SPDX-JSON passes https://tools.spdx.org/app/validate/ on multi-binary projects.
• Add a regression test in `DX.Comply.Tests.Spdx.Writer.pas` that creates two artefacts with identical basenames and asserts the IDs differ.

Related

• See SPDX validation: duplicate SPDX IDs when the same filename appears in multiple folders #39 for the timestamp/locator validation findings (same SPDX validator run).