Scan from purl

[san-zrl]

PR for running a scan from a Package URL:

• Purl can be specified in giturl field in UI.
• Purl must contain a @version tag
• Branch if specified is overridden by @version tag from purl
• Subfolder is ignored
• Purl resolved via deps.dev. Process fails if deps.dev doesn't know about it.
• Prepared fetching the CBOM from github (result of envisioned github action). Command is a noop for the moment.
• CBOMReadModel: Purl is identifier for CBOM, resolved giturl stored as repository.

[n1ckl0sk0rtge]

Some changes required. See comments

[san-zrl]

I removed ResolvedScanRequest completely and added new mutable state attributes (@Nullable purl, @Nullable gitUrl, @Nonnull revision) to ScanAggregate. The original ScanRequest and also its ScanUrl remains unchanged. giturl is set either directly (if the ScanUrl was a git link) or via purl resolution (if the ScanUrl was a purl). In the latter case purl is populated. Likewise, revision is either set to the git branch (if the ScanUrl was a git link) or to the purl version. This separates purl and gitUrl cleanly, and any of them is never used instead of the other.

In CbomReadModel repository is always the giturl, projectIdentifier is the scan url (the purl or the giturl identifier). There are now findBy methods for both GitUrl and 'PackageURL parameters (with and without commit parameter). Not sure how many of them we need.

I also changed the IO to reflect our enhancements. The projectIdentifier is now used in the list of scans and in the scan result (instead of the gitUrl). On the scan result the full gitUrl is shown as a label.