Add support for Gitlab dependency lists

[spoorcc]

It appears that Gitlab can provide dependency lists for projects https://docs.gitlab.com/ee/user/application_security/dependency_list/.

See:

• https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/ee/gitlab/ci/parsers/security/validators/schemas/dependency-scanning-report-format.json
• https://surf.cba.mit.edu/help/development/integrations/secure.md
  It appears that implementing the following would suffice:

"dependency_files": {
      "type": "array",
      "description": "List of dependency files identified in the project.",
      "items": {
        "type": "object",
        "required": [
          "path",
          "package_manager",
          "dependencies"
        ],
        "properties": {
          "path": {
            "type": "string",
            "minLength": 1
          },
          "package_manager": {
            "type": "string",
            "minLength": 1
          },
          "dependencies": {
            "type": "array",
            "items": {
              "type": "object",
              "description": "Describes the dependency of a project where the vulnerability is located.",
              "properties": {
                "package": {
                  "type": "object",
                  "description": "Provides information on the package where the vulnerability is located.",
                  "properties": {
                    "name": {
                      "type": "string",
                      "description": "Name of the package where the vulnerability is located."
                    }
                  }
                },
                "version": {
                  "type": "string",
                  "description": "Version of the vulnerable package."
                },
                "iid": {
                  "description": "ID that identifies the dependency in the scope of a dependency file.",
                  "type": "number"
                },
                "direct": {
                  "type": "boolean",
                  "description": "Tells whether this is a direct, top-level dependency of the scanned project."
                },
                "dependency_path": {
                  "type": "array",
                  "description": "Ancestors of the dependency, starting from a direct project dependency, and ending with an immediate parent of the dependency. The dependency itself is excluded from the path. Direct dependencies have no path.",
                  "items": {
                    "type": "object",
                    "required": [
                      "iid"
                    ],
                    "properties": {
                      "iid": {
                        "type": "number",
                        "description": "ID that is unique in the scope of a parent object, and specific to the resource type."
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }

[spoorcc]

GitHub has a dependency graph, nut doesn't seem to have a custom report format. https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph