Add fossa cli config for license scanning

[lukpueh]

Fixes issue #:
None

Description of the changes being introduced by the pull request:
The new way of doing license scans with fossa, uses the fossa cli (e.g. on the CI/CD build) and an API token to publish to app.fossa.com. This PR adds a fossa config file and updates the travis config file accordingly. See commit messages for details.

Note that we can't keep the FOSSA_API_TOKEN secret (e.g. via Travis encrypted or repository setting environment variables), because those are not available for Travis builds of PRs from forked repository, which we need to support. Therefor we use a non-confidential push only API token.

For details see and

Please verify and check that the pull request fulfills the following
requirements:

• The code follows the Code Style Guidelines
• Tests have been added for the bug fix or new feature
• Docs have been added for the bug fix or new feature

[lukpueh]

Things to consider:

• We should deprecate (delete) the old TUF Fossa page in favor of the new TUF Fossa page, once this PR is merged.
• GitHub integration of the new page, to e.g. post status checks, does not seem to work.
• This PR configures Travis to trigger one license scan per build (per version), which IMO makes sense because different versions, have different dependencies. However, the Fossa dashboard seems to only always show the latest scan, and, moreover, does not make it clear which build provided it.
• This PR configures fossa to use a pip analysis strategy, but this also includes test/build dependencies in the scan (pylint, bandit, tox, etc...). It might make more sense to use requirements strategy...

[caniszczyk]

I would remove the test/build deps in the scan