Add artifact URL and sha256 hash to lock file

[broeng]

Change Description

This PR is a first draft for augmenting the build.sbt.lock files with the following information:

• Absolute URL for each artifact, allowing download of these without a resolution process.
• SHA-256 hash for each artifact, as an addition to the existing SHA-1 hash available.

The SHA-256 hashing is based on the SHA-1 hash implementation using MessageDigest from sbt.io.Hash. It has pretty much just been lifted out, and had the hash algorithm changed for MessageDigest.

Besides these additions, I have made the following changes to the build.sbt.lock file format:

• Renamed the artifact "hash" attribute to "sha1", so it's a bit more consistent with the newly added "sha256" attribute.

Renaming the hash-attribute makes this PR backwards incompatible with existing lockfiles. It is my impression, that these lockfiles can be easily regenerated when updating the plugin version, but I welcome feedback on this decision, and any suggestions related to it.

Of other decisions worth considering; I decided not to include the artifact url in the compare method of ResolvedArtifact, as I felt it was a bit irrelevant if the same artifact was found at a different URL, as long as the hashes of the actual artifacts remained unchanged.

Rationale

My motivation for doing this PR comes from a desire to be able to build SBT Scala projects with NixOS, and the normal artifact resolution process is problematic in this context, and ideally, each external dependency should have a download URL and SHA-256 hash known in advance. It seems to me, that sbt-dependency-lock is very well suited for recording this information in the build.sbt.lock files.

I hope we can find a solution that is acceptable to this project, where we can add this information to the files.

Tests and style

The corresponding test fixtures have been updated, and I have tried to minimize any kind of diff-noise in these, so it's hopefully clear that I haven't inadvertently caused any test regressions by changing the fixtures too much.

I have run tests, scripted, headerCheck, and scalafmt on source files in both main and test.

Feedback

As I have noted, I consider this a first draft of this PR, and I expect there to be feedback. I'm willing to continue working on it, based on the feedback, if you see any potential of getting something like this merged.

I was initially looking for a Discord or related, where I could coordinate what a solution should look like, but it seems the Issue-list is the preferred choice of this project, and then I thought I might as well push a suggestion as a starting point.

[broeng]

I noticed Codacity had a couple of comments, so I've updated and corrected four^Wthree of the five issues.

For now, I have not addressed it's suggestion of avoiding while loops, as the SHA-256 hashing done in that section is based on the sbt.io.Hash implementation, and I'd like to get feedback on, if you prefer it to be identical, or more idiomatic.

The other is a "Potential Path Traversal" which I don't feel is too relevant.