License scan dependencies

[zlav]

Overview

This PR adds support for license scanning vendored dependencies in a user's project. This initial implementation relies on the archive uploader.

These dependencies can be specified in the fossa-deps.yml file as vendored-dependencies

vendored-dependencies:
- name: Django
  path: vendor/Django-3.4.16.tar

Acceptance criteria

Adding a dependency to the fossa-deps.yml file causes it to be archive uploaded, license scanned on the backend, and displayed in the projects list of dependencies.

Testing plan

Validate that the archive upload works end to end

• Create a fossa-deps.yml file with a dependency in the vendored section
• Run fossa analyze
• Inspect the project in the FOSSA UI and validate that the vendored dependency is present.=

Need to make sure files that don't exist are handled correctly.

Risks

I am most concerned about decisions that won't be reversible in the future. The biggest risk is unintuitive behavior to the user, so if anyone sees a spot a warning or an error should exist let me know.

References

#245

Closes https://github.com/fossas/team-analysis/issues/544

Checklist

• I added tests for this PR's change.
• I linted and formatted (via haskell-language-server) any files I touched in this PR.
• If this PR introduced a user-visible change, I added documentation into docs/.
• I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
• I linked this PR to any referenced GitHub issues.

[cnr]

Overall looks really good -- one major suggestion and some nits

[skilly-lily]

Left a ton of nits, but found a major issue that might allow files with no dependencies.

This should also be formatted

[skilly-lily]

LGTM, a few leftover nits, but this is ready to go.