feat: Integrate SCANOSS

[sdirix]

What it does

Adds SCANOSS integration in Theia, supporting AI-driven code snippet scanning for open-source and security compliance.

Adds new @theia/scanoss and @theia/ai-scanoss packages to support SCANOSS integration.

• Provides SCANOSS service for content scanning.
• Introduces preferences for API key configuration and automatic scanning options.
• Integrates SCANOSS action into AI Chat UI as part of the code response renderer
• Displays detailed match results with links and additional information.

Also:

• Adds a pluggable CodePartRendererAction interface for contributing actions to code parts in AI responses.
• Adapts code base for updated dependencies where required.

I did the split between scanoss and ai-scanoss as there are also use cases for SCANOSS outside of AI snippet matching. For example in a future follow up we can implement a full workspace scan with a report just within the scanoss package, unrelated to the Theia AI integration.

Manual scanning

Automatic scanning

Rate limit

Note that it's very hard to hit the rate limit. I had to programmatically trigger thousands of request within an hour to manage to do it.

How to test

Ask for code listings in the Chat view, e.g. How to generate the Fibonacci Sequence

Tips:

• To generate a deterministic match, just copy code from an OS repo on Github and ask the LLM to repeat the code
• To test the error case, simply enter an invalid API key in the scanoss (not AI) preferences

Breaking changes

• This PR introduces breaking changes and requires careful review. If yes, the breaking changes section in the changelog has been updated.

Attribution

Review checklist

• As an author, I have thoroughly tested my changes and carefully followed the review guidelines

Reminder for reviewers

• As a reviewer, I agree to behave in accordance with the review guidelines

[JonasHelming]

this works very nicely and is a very valuable addition. I tested it for quite a while and did not find any problem.

I want to suggest one minor addition:
Instead of making only the automatic scan configurable, I would add manual, automatic, and off.
This way, users that do not want to ever use the feature will not see the buttons at all. Also we can make sure that users see the information that has codes are sent to the transparency foundation (in the settings).
To enable this, i have added "canrender" to code reponse actions. I am pretty sure, we will need this for other actions in the future, e.g. an action to "create a file" that only is available if the path is know.

If have set the feature to "off" by default, we might decide in future releaes to turn this to "manual".

I have added this suggestions in a seperate commit, feel free to reject it.

[eneufeld]

Looks good to me. I would split the pr in 2 commits that are separately merged though.

[sdirix]

@eneufeld I added the memo as requested
@JonasHelming I made sure that when scanOSS is turned off, all snippets are marked for manual checking