feat: support locking of parents when locking build components

[smaarn]

This PR does several things:

1. Enforce the locking of parent hierarchy when locking the build
2. Update the XSD

Implementation chosen so far is to inline the parent declaration but obviously it's challengeable.

Fixes #98

• Tests passes
• Unit tests are added on the introduced classes
• Elaborate on the "separate fake poms" option

[vandmo]

Hi and thanks!

I would like to try something like:

• .dependency-lock/pom.xml with only dependencies
• .dependency-lock/build/pom.xml with build lock

OR maybe

• .dependency-lock/pom.xml with only dependencies
• .dependency-lock/build/pom.xml with build lock except parents
• .dependency-lock/parents/pom.xml with the parents as

and see how that works with dependabot.

The reason for having it in separate files is that you could see in dependabot if the vulnerability is in the build chain or the dependencies of the artifact.

Dependabot and similar tools are the reason the pom lock format exists and I am pretty sure that dependabot will not pick up nested parents. If you comment out publishing of the XSD in this PR I could merge it and we could try it out though. (Don't want to publish the XSD until we are sure it works).

If you are using some other dependency checking tool like https://dependencytrack.org/ or similar it would be interesting to know how it works there.

I will have some time to look into this more this weekend.

Everything looks very good by the way!