feat: dependency-check-plugin-revision

[RichardUri]

Description

Revises and addresses review feedback on #799, adding dependency vulnerability scanner plugin.

The plugin is intended to intercept pushes and scans changed dependency files against the OWASP Vuln database. If a vulnerability is found at or above a severity threshold, the push will be held for review.

Made changes according to reviewer comments on original PR.
General changes:

• Severity threshold configured via DEPENDENCY_VULN_THRESHOLD environment variable (default: HIGH) rather than a top-level config schema entry
• Fixed git diff argument order (Previously showed removals instead of additions)
• Fixed git show using HEAD instead of the pushed commit SHA
• Fixed missing parent directory creation for nested file paths (e.g. src/lib/foo.json)
• deleteTempRepo now deletes the entire .tempRepo/ directory instead of only the current push's subdirectory
• Added exit code check for dependency-check to prevent silent false negatives on failure
• Replaced spawnSync for the clone operation with async spawn to avoid blocking
  the Node.js event loop
• Removed dead variables and unneeded aliases.
• Added Basic auth credential forwarding on the clone URL, similar one used in pullRemote processor
• Blocked message now includes CVE ID, severity, and description
• 'temporaryRepo.js' removed and is now directly included into the main file.
• Added exports entry and README documentation for the new plugin

Related Issue

Revises #799

Checklist

General

• I have read the CONTRIBUTING.md guidelines
• Commit messages follow Conventional Commits format
• I have a FINOS CLA on file

Documentation

• Documentation has been added/updated for any new features

Configuration

• If configuration schema (config.schema.json) was modified:
  • TypeScript types regenerated (npm run generate-config-types)
  • Schema reference docs regenerated (npm run gen-schema-doc)

Tests

• Tests have been added/updated for new functionality
• Unit tests pass (npm test)
• Linting and formatting pass (npm run lint and npm run format:check)
• Type checks pass (npm run check-types)

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name	Link
🔨 Latest commit	7405dd1
🔍 Latest deploy log	https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/6a00e521255cd40008d8f1aa

[kriswest]

It seems odd to have a plug-in to a complete extra clone of the repository and compute its own diff in order to run scanning tools on it, when when the built-in scanners already do both of these things... Can this not be written to use the data from the existing clone and diff operations?