Feature improved java cataloging

[GijsCalis]

As announced in PR #2669 I've improved the package detection for Java/Maven packages by:

• Download and processing of parent poms, fixes: Support Maven multi-level configuration file / parent POM #2017
• Process and store all encountered properties in parent poms
• Process DependencyManagement section , fixes: DependencyManagement ignored in pom.xml #1813, fixes Empty version field on some dependencies when reading pom.xml #1129
• Download and process imported dependencies in DependencyManagement section, further fixing: DependencyManagement ignored in pom.xml #1813, Empty version field on some dependencies when reading pom.xml #1129
• Try to fetch pom files from local Maven repository in user home dir (e.g. $HOME/m2/repository)
• Make local Maven repository configurable for non-standard installations and also useful for unit testing

I've added support for use of the local Maven cache because it usually it contains all the required pom.xml files, when scanning on a system where the code has been build.

As a result the scanning is significantly more complete and faster, see table below with test results.
I've run the tests on the following projects:

• https://github.com/apache/httpcomponents-core
• https://github.com/apache/zookeeper
• https://github.com/spring-projects/spring-petclinic

Syft ver	project & config	time (s.)	total pkgs	pkg with version	licenses found
v1.1.1	httpcomponents with network	-	21	12	7
new	httpcomponents with network	-	21	21	36
v1.1.1	petclinic no network	1.3	24	5	2
v1.1.1	petclinic with network	5.8	24	15	14
new	petclinic no network, no local repo	0.8	24	5	2
new	petclinic no network, with local repo	1.3	24	23	9
new	petclinic with network, with local repo	2.5	24	23	23
v1.1.1	zookeeper with network	33.0	58	18	13
v1.1.1	zookeeper no network	0.2	57	18	0
new	new zookeeper no network, no local repo	0.4	57	54	1
new	new zookeeper with network, no local repo	7.0	57	57	122
new	new zookeeper with network, with local repo	5.0	57	57	122
new	new zookeeper no network, with local repo (after maven build)	0.6	57	57	122

Also find attached some SBOM files generated by syft v1.1.1 and the version in this PR.
sbom.cyclonedx.httpcomponents-new.json
sbom.cyclonedx.httpcomponents-v1.1.1.json
sbom.cyclonedx.jackson-new.json
sbom.cyclonedx.jackson-v1.1.1.json
sbom.cyclonedx.zookeeper-new-no-network-with-local-repo-after-build.json
sbom.cyclonedx.zookeeper-v1.1.1-with-network.json
sbom.cyclonedx.petclinic-new-no-network-no-local-repo.json
Uploading sbom.cyclonedx.petclinic-v1.1.1-with-network.json…

[GijsCalis]

Note: The 'Detect schema changes / Label changes' failed, but should pass on re-run of the job.

[GijsCalis]

@kzantow, @willmurphyscode :
I realise this is quite a large PR, but it also makes significant improvements. Without these improvements syft does not work well enough, especially on Spring Framework based packages, for practical use. The amount of false positives because of missing version number is simply to high. (most of the projects at my company are based on Spring)

I can split this PR into smaller parts, each adding part of the improvements:

• use of local Maven repository:

  • Greater chance of finding licenses on systems that have build the package, because no network (UseNetwork) is required.
  • Much faster scans when using network and pom file is available locally. And also thus limiting requests to the remote repository.

• Fix bug in configuration: no default configuration is loaded for the java cataloger (see: https://github.com/GijsCalis/syft/blob/ff1c8431704181ede8edf3325004f3163f3283e6/cmd/syft/internal/options/java.go#L12)

• Parsing of parent poms for property definitions (to improve resolving of properties) and processing imported managed dependencies (which contain version definitions of dependencies).

What would be the best way forward?