Ensure the dependency report includes transitive plugin dependencies

[jsvd]

The licenseMapping.csv file has the goal being a single place to (1) check the software license of all code shipped with Logstash, and also (2) for users to quickly identify if a build/release contains a certain version of a certain library (in case of published vulnerabilities).

Currently, the dependencies-report script only grabs the dependencies of logstash core. For this report to be useful, it should also include jar and gem dependencies of any installed logstash plugins.

Implementation wise, this can be done fully from within Logstash core, or we can push the responsibility of listing each plugin's dependency tree to the plugins (which is then merged with the core list).

If the decision is to do it on the plugin side, we'll still need to know exactly which versions of the plugin dependencies were resolved for the Logstash build, since most dependency version constraints don't force single versions (e.g. ~> 1)