Add support for handling of snippet code

[talz]

Add support for snippet-based code component detection

Summary

Adds a new hidden --snippet CLI flag (and JFROG_XRAY_SNIPPET_SCAN_ENABLE environment variable) that enables snippet-based component detection during audit and git-audit commands. When enabled, the Xray-Lib plugin performs source-level snippet matching to detect license-bearing code fragments (e.g., copied open-source C code), reports them as "snippet" components in the CycloneDX BOM, and surfaces license violations in the results.

Changes

CLI & Flag wiring

• New hidden --snippet boolean flag added to audit and git audit commands.
• Validation ensures snippet detection is only enabled when SCA or SBOM scanning is requested.
• Flag can also be set via the JFROG_XRAY_SNIPPET_SCAN_ENABLE env var.

Audit command & results context

• IncludeSnippetDetection field added to AuditCommand and ResultContext, threaded through CreateAuditResultsContext.
• Snippet detection option forwarded to the XrayLibBomGenerator as a plugin environment variable.

Xray-Lib plugin

• CreateScannerPluginClient now accepts and passes env vars to the plugin subprocess.
• Default plugin version bumped from 0.0.3-52 to 0.0.3-55.

Result processing

• New ExternalReferences field on Location (SimpleJSON format) to surface reference URLs from CycloneDX external references.
• CdxEvidencesToLocations now extracts line numbers and external references from CycloneDX evidence/occurrences.
• Dedicated handling for "snippet" components in impact-path building (isSnippetComponent, buildSnippetImpactPaths), which treats snippet parent→sub-component relationships differently from regular dependency trees.

Technology support

• Added Cpp technology with github package type.
• ToXrayComponentId updated to handle the github package type (colon-separated names).

Test utilities

• Renamed CreateTestPolicyAndWatch → CreateSecurityTestPolicyAndWatch for clarity.
• Watch/policy creation helpers now accept a policyType parameter (Security or License).
• New CreateTestLicensePolicy and generic CreateXrayPolicy helpers.

Tests & test data

• New integration test TestAuditNewScaSnippetDetection verifying license violations are found with snippet detection enabled and absent without it.
• Added C/JS snippet detection test data files; moved existing SAST test file into sast/ subdirectory.

Testing

• New integration test TestAuditNewScaSnippetDetection covers the end-to-end flow: creates a license policy/watch, runs audit without snippet detection (expects zero results), then runs with --snippet (expects 4 license violations).
• Existing TestCreateResultsContext unit test extended with snippet detection cases.
• Existing integration tests updated for the refactored test utility signatures.

---

Checklist

• The pull request is targeting the dev branch.
• The code has been validated to compile successfully by running go vet ./....
• The code has been formatted properly using go fmt ./....
• All static analysis checks passed.
• All tests have passed. If this feature is not already covered by the tests, new tests have been added.
• Updated the Contributing page / ReadMe page / CI Workflow files if needed.
• All changes are detailed at the description. If not already covered at JFrog Documentation, new documentation have been added.

[github-actions]

---

🐸 JFrog Frogbot

[attiasas]

LGTM