PEP 751 support

[woodruffw]

WIP.

Some scattered thoughts:

• Right now this adds a --locked flag to enable lockfile collection. Does this make sense? Should it happen by default instead, taking priority over pyproject.toml when present?
• Right now this collects all pylock.*.toml files by default, not just the generic one or a particular service-specific one. Does this make sense? Should --locked take a value to control this, e.g. --locked=all for the current behavior and --locked=<service> for just pylock.<service>.toml?
• This only checks [[packages]]. I need to do another closer read of PEP 751 to understand if there are other parts of the file we should collect from. Checked, and packages should be the only part.
• This doesn't perform any deduplication at the moment, i.e. foo==1.2.3 will be audited multiple times if specified in multiple lockfiles or multiple times in the same file (which the PEP allows). This probably won't happen often but I should probably add that deduplication, similarly to how requirements.txt inputs are handled. This is moot, since deduplication is done at the audit layer.
• This currently skips any package that doesn't have a version. I think this is probably the right behavior, but perhaps it should be stricter, i.e. skip if it's a non-sdist/wheel but fail/warn if an sdist or wheel is missing a version?

Signed-off-by: William Woodruff william@trailofbits.com