SEND SOME Hash hash hash to IQ

[DarthHater]

Welp, why not send in a list of hashes, if people want to do that!

This allows someone to scan for situations where someone may have copied a downloaded file of jquery, etc... into their project, and bypassed using npm or yarn to manage it as a dependency (it happens!)

This pull request makes the following changes:

• Adds Hasher, Lister and Merger classes, that hash files, list that they exist, and merges these files with an SBOM that is based on your declared dependencies
• Adds tests (thanks @allenhsieh !)
• Implements with a -g <path> or --deep <path> command line option

A test for this would be to create a garbage or etc... folder and pop a known vulnerable version of jquery or library of your choice into it. I used this file: https://code.jquery.com/jquery-1.12.4.min.js

Scan like so npm run start iq -- --application <your-application> --deep garbage

If all goes swimmingly, you should see this version of jQuery in your IQ report

I'd like to soft release this (not update docs), so people can play with it before we full bore announce it (I'd love to see how it helps overall)

This was based on #142, which was based off alpha, so I patched it over to new trunk.

It relates to the following issue #s:

• Fixes Get a list of files, get some hashes, talk to some people, have a good day #142

cc @bhamail / @DarthHater / @allenhsieh / @ken-duck / @ButterB0wl