Add Swift Package Manager component detection support

[raporpe]

Component detection does not currently support detection of Swift Package Manager. This package manager is the new default for swift-related projects now that CocoaPods (supported by Component detection) is on maintenance mode.

This new detector adds basic support to SwiftPM by parsing the JSON file Package.resolved that is generated when dependencies are resolved. This file is usually present in repositories and after building a Swift Package and its contents are enough to detect both direct and transitive dependencies.

This detector does not parse the Package.swift file (hard to parse and does not include transitive dependencies) and does not differentiate between build dependencies, transitive dependencies, and direct dependencies (it is not possible by just parsing Package.resolved).

This detector will register two kind of components: a SwiftPMComponent and a GitComponent. I have decided to also register a Git component because SwiftPM does not rely in a repository infrastructure such as NPM, it directly downloads other Swift Packages from the git repositories. I need feedback in this regard, since I do not know what is the best practice (maybe having two registered components for the same dependency is not a good idea?)

I had to invest time in troubleshooting the verification tests because I was not passing them. The issue is that the reference snapshot has less packages because the environments differ for PipReport since PR #1259. I have added the same environment vars to the snapshot-publish pipeline although maybe @pauld-msft could take a look at this PR to verify that my modification is correct.

[raporpe]

The snapshot reference for the verification tests needs to be updated with the same environment as the verification pipeline or otherwise it will fail.

[raporpe]

@raporpe please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree company="Microsoft"

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.4%. Comparing base (952c1ce) to head (0cd36ad).

Additional details and impacted files

@@           Coverage Diff           @@
##            main   #1316     +/-   ##
=======================================
+ Coverage   89.3%   89.4%   +0.1%     
=======================================
  Files        379     384      +5     
  Lines      30082   30580    +498     
  Branches    1840    1851     +11     
=======================================
+ Hits       26870   27368    +498     
+ Misses      2821    2820      -1     
- Partials     391     392      +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[raporpe]

I removed SimplePip so that both snapshot generation and verification have the same enabled components. SimplePip was disabled from the verification pipeline in PR #1259