228 - support for go list -deps

[SirMaster]

This is an initial look into allowing go list -deps to be supported, go list -deps -json gives us the specific dependencies that will be used at runtime for a binary of go. By allowing a user to use go list -deps -json ./... | nancy sleuth we give control to them by allowing them to choose what to check for vulenerabilities.

This pull request makes the following changes:

• Additional support to slurp in the result stream of go list -deps -json

It relates to the following issue #s:

• Fixes Suggested go list -m json all vulnerability checks swathes of dependencies that never end up in a binary #228

cc @bhamail / @DarthHater

Note created a draft PR first to confirm code changes first, if all is good will do documentation changes as well in a full PR.

[DarthHater]

@dnwe , the infallible @SirMaster has cranked this out, if you wouldn't mind taking a gander.

[dnwe]

@SirMaster I gave this a quick test on Go 1.16, but it looks like it's not currently extracting the module deps from the the input json. Building from your branch and giving it the -deps -json output nancy reports that it didn't scan any modules

$ go list -deps -json ./... | ./nancy sleuth
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                     ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━┫
┃ Audited Dependencies    ┃ 0 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━┫
┃ Vulnerable Dependencies ┃ 0 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━┛

[DarthHater]

Closing in favor of #247