feat: Java dependency graph information

[kzantow]

Description

This PR implements dependency graph information for Java packages. This applies primarily to these scenarios:

• source scan of Java Maven-based projects, which now includes appropriate top-level and optionally, transitive dependency information
• nested archive with embedded packages

For example: a user scanning a .war file with multiple embedded .jar files, the topmost package representing the .war file will have dependency relationships from the specific packages surfaced from the included .jar files.

Additionally, this PR includes a refactoring the internal Maven resolver functionality to an internal package to provide clearer boundaries of usage vs. internal methods.

• Fixes Emit relationships for Java dependencies #3189

Type of change

• New feature (non-breaking change which adds functionality)

Checklist:

• I have added unit tests that cover changed behavior
• I have tested my code in common scenarios and confirmed there are no regressions
• I have added comments to my code, particularly in hard-to-understand sections

[kzantow]

The PomProperties has the scope? This doesn't seem right, but this was the existing behavior.

[wagoodman]

agreed -- we should make a syft 2.0 for this and mark the field as deprecated. There is a discussion in #572 on how to mark dev/test deps on edges, but for now we've elected to not track these.

[wagoodman]

🚀