fix: accept from-provenance repos as scm authentic

[benmss]

Summary

This PR updates the SCM Authenticity check to allow acceptance of repository URLs found from provenance as being authentic.

Description of changes

The check is changed to rely entirely on the repo verification results produced during analysis. Previously the check would reject any non-Maven PURLs.
The final confidence value for PASSED results is now reported as HIGH if the reason is from_provenance.

The class hierarchy of the repo verifiers has been extended to support repository verification from provenance. The new hierarchy is as follows:

• RepoVerifierBase, the abstract base class exists to provide the verify_repo function stub.
• RepoVerifierFromProvenance is an implementation of RepoVerifierBase that provides the from-repo functionality in its verify_repo function
• RepoVerifierToolSpecific is an abstract class that inherits the functionality of RepoVerifierFromProvenance while providing an abstract property for subclass defined build tools (specific_tool), an abstract function verify_by_tool for tool specific functionality, and a pre-defined verify_repo function that makes use of the RepoVerifierFromProvenance functionality before calling the verify_by_tool function.
• RepoVerifierMaven, RepoVerifierGradle, and future classes inherit from RepoVerifierToolSpecific and must provide their own specific functionality in the verify_by_tool function, and their build tool in the specific_tool property.

The integration test provenance_available is renamed to pypi_toga_provenance_authentic and re-used for this fix to demonstrate that a PyPI package can pass the SCM authenticity check.

Related issues

Closes #1128

[behnazh-w]

Can you please pick an integration test that generates a provenance and make sure the scm authenticity passes?

Also, the description of the check on the index.rst needs to be adjusted.