Remove name of source artifact in file findings

[tsteenbe]

Currently if ORT scan a source artifact then the name of extracted tar or zip will be in the file finding

Example PyPI::Mako:1.1.3

https://files.pythonhosted.org/packages/72/89/402d2b4589e120ca76a6aed8fee906a0f5ae204b50e455edd36eda6e778d/Mako-1.1.3.tar.gz

|LicenseRef-scancode-reportbug | Mako-1.1.3/doc/_static/underscore.js | 3 | 3| |LicenseRef-scancode-reportbug | Mako-1.1.3/doc/_static/underscore-1.3.1.js| 3 | 3|

In the package configuration excludes you then have to also include "Mako-1.1.3" which is weird as we do not do the same for VCS excludes. Also make it more difficult to upstream local ORT package configurations to say clearly defined

Propose we updated the code to omit name of source artifact e.g. Mako-1.1.3 from scan findings

 

[sschuberth]

I believe this should only ever happen with TAR files, as these by convention contain a top-level directory that is named after the base name of the archive.

[mnonnenmacher]

For reference, there was attempt to implement this in #2168 which was rejected partly in the PR discussion and partly in an offline discussion, because of the effort to migrate existing package configurations. But if anyone wants to pick this up, the code from the PR could be reused.