Improve OCM-Gear's Artefact-Enumerator + Track missing Scans

[ccwienk]

Context / Motivation

It is a common pattern for OCM-Gear-Extensions to work on a stream of Component-Versions (an example use-case being the running of scans for each Component-Version (or rather contained artefacts) and creating evidences about executed scans, as well as tracking yielded scan-results).

Currently, this is implemented by some OCM-Gear-Extensions (namely ClamaAV + BDBA) by repeatedly inspecting greatest version of tracked Component(s) (and their transitive closure of referenced componentversions). While this approach works reasonably well, there is always the risk of missing component-versions (e.g. due to frequent releases, or due to a temporary downtime of OCM-Gear. Also, it appears reasonable to not require each OCM-Gear-Extension to take care of this problem, but rather allow for some re-use.

Proposal

Offer a means of describing ranges of component(versions) to track. This range should in particular offer a "sliding window" of a period of time (referring to creation/release-date of a componentversion), e.g. "component-versions from today until 1y into the past". OCM-Gear-Extensions should be able to consume such ranges of component-versions to derive a backlog of actions to do (e.g. scan each component-version, and store evidence about it).

To detect cases where processing does not work as intended (reasons might be a lack of resources, or simply a bug) it should be possible for "watchdog"-extension(s) to track the expected output of artefact-metadata vs. the actual one, and create alerts or other means of error-indications (this might be done in a generic watchdog-extension, but might also be done by ocm-gear-extensions individually).