scanner: Create and store file listings for each resolved provenance

[fviernau]

Create and store the file listings (path, sha1) for each resolved provenance.
These can be consumed in future iterations (see #6945) for improving the generated SBOMs.

Resolves: #6943.

I've scanned the HEAD of the main branch of npm mime-types which resolved to 335 provenances. The total size of all file listings in the Postgres database is 5605372 bytes. So, about 16.4kb per file listing in average.

BREAKING CHANGE: One does not have to, but should configure a storage backend in ~/.ort/config/config.yml.
If one doesn't do so, ORT falls back to storing the file listings under ~/.ort which may not be
desired. See the modified reference.yml for how the new configuration feature looks like.

[codecov]

Codecov Report

Patch coverage: 60.00% and project coverage change: -0.02 ⚠️

Comparison is base (70e1780) 64.34% compared to head (2a080de) 64.33%.

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #6970      +/-   ##
============================================
- Coverage     64.34%   64.33%   -0.02%     
- Complexity     1960     1966       +6     
============================================
  Files           327      329       +2     
  Lines         16518    16568      +50     
  Branches       2361     2367       +6     
============================================
+ Hits          10629    10659      +30     
- Misses         4870     4887      +17     
- Partials       1019     1022       +3     

Flag	Coverage Δ
funTest-non-docker	30.37% <42.00%> (+0.12%)	⬆️
test	39.80% <60.00%> (+0.10%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...src/main/kotlin/provenance/ProvenanceDownloader.kt	38.88% <ø> (ø)
...n/kotlin/config/FileListingStorageConfiguration.kt	31.81% <31.81%> (ø)
...anner/src/main/kotlin/utils/FileListingResolver.kt	81.48% <81.48%> (ø)
...del/src/main/kotlin/config/ScannerConfiguration.kt	100.00% <100.00%> (ø)

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[fviernau]

Looking at above discussion I have a hunch it may be more efficient to come to a conclusion in a short call. @sschuberth @mnonnenmacher would you be in for that?

I'm currently on sick leave.

[fviernau]

@mnonnenmacher @sschuberth I've incorporated the changes we've agreed upon in our call yesterday.

[sschuberth]

What is the rationale for this? The default might change, but this would still be an error.

@mnonnenmacher the removal of the explicit Severity.ERROR happened on my request to align with the code base. If we cannot rely on the value of default arguments, it makes little sense to use default values at all...

[mnonnenmacher]

What is the rationale for this? The default might change, but this would still be an error.

@mnonnenmacher the removal of the explicit Severity.ERROR happened on my request to align with the code base. If we cannot rely on the value of default arguments, it makes little sense to use default values at all...

Then I would argue for removing the default value, the issue severity is something I would like to see on the call side.

[fviernau]

Then I would argue for removing the default value, the issue severity is something I would like to see on the call side.

Are you fine with de-scoping this from this PR then (leave this PR as-is and address the topic separately). I don't like changing this back and forth. In my view this is now a different topic. Agreed?