Refactor using builder package

What does this MR do?

Introduce builder packages for Maven, Gradle, and Sbt.

The analyze function no longer has knowledge on the package managers the analyzer supports. It imports the builders as anonymous packages, and proceeds in 5 steps:

1. configure version range extensions, scanner, and builders
2. look for supported project files, and track "builds"
3. build whatever needs to be built, in order to get parseable dependency lists
4. scan all the dependency lists
5. convert the result

The findBuilds function can find builds in sub-directories, in order to support Maven and Gradle sub-modules:

• builds are found for the parent module and all its sub-modules, in that order
• builder is called to build the parent module, with the side effect of creating JSON output in the directories that correspond to the sub-modules
• builder is called to build the sub-modules, but it does nothing because the JSON output already exists; it simply collects input files and related output files
• all builds are scanned, with no distinction b/w the parent module and its sub-modules, and the location of the vulnerabilities are accurate

What are the relevant issue numbers?

gitlab-org/gitlab#263441 (closed)

Does this MR meet the acceptance criteria?

• Changelog entry added no behavior change
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer

Next steps

• Extract keystore package, similar to what has been done in !77 (merged)
• Scan sibling directories. In particular, gemnasium-maven should be able to scan itself, and report vulnerabilities for both utils/maven-plugin-builder/pom.xml and utils/gradle-plugin-builder/gradlew. This involves setting AnalyzeAll to true, and removing the plugin package.