remove cargo-download dependency

[cdstanford]

For now I have left it in (it is used by make test, make top10 etc., and scan_all) but I think we should just remove the dependency on cargo download. It seems to have some issues on some crates:

caleb:cargo-scan $ cargo download -x num_cpus
INFO: cargo-download v0.1.2
INFO: Latest version of crate num_cpus=* is 1.16.0
INFO: Crate `num_cpus==1.16.0` downloaded successfully
INFO: Crate content extracted to ./num_cpus-1.16.0/
caleb:cargo-scan $ cargo download -x fs-extra
INFO: cargo-download v0.1.2
INFO: Latest version of crate fs-extra=* is 1.3.0
INFO: Crate `fs-extra==1.3.0` downloaded successfully
thread 'main' panicked at /Users/caleb/.cargo/registry/src/index.crates.io-6f17d22bba15001f/cargo-download-0.1.2/src/main.rs:90:67:
called `Result::unwrap()` on an `Err` value: Custom { kind: InvalidInput, error: "invalid gzip header" }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

IIRC, audit/chain don't use cargo download anyway, so better to just avoid having a dependency and do it directly ourselves. And it would make it easier on end users to not have to worry about make install.

[cdstanford]

Looks like the repository is archived, which likely explains the issues here: https://github.com/Xion/cargo-download