Read Go packages using `go list`

What does this MR do?

The packages.Load function would not discover packages when they were only used in tests. This meant that the go.sum parser would be used if a project only used Go for tests and did not produce other build artifacts. The go list command does not have this issue and produces a list of the packages used by the main module regardless if it was in a test or in the final artifact.

Additional info

In Go 1.19 and newer the go list command allows the -json flag to specify the list of fields it should return. Since we've upgraded the analyzer images to use Go 1.19 or newer in !571 (merged), we leverage the -json flag, and this reduces the noise in the debug logs.

What are the relevant issue numbers?

Closes Dependency scanning uses go.sum parser for Go p... (gitlab-org/gitlab#396918 - closed)

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer