Leakage of local imports from older commits into contributor reports

[rimutaka]

The current implementation of local import detection uses the list of files (tree) from HEAD to check if any of the imports have similar names. Those that match are deemed to be local and are not included in refs section of the report.

The problem arises when a line of code from an older commit from a contributor is matched against the latest tree - some of the files could be renamed or deleted. There will be no match for the import and it will be included in the report as an external reference.

Only contributor reports are affected because they contain info from older commits. The project report looks at the latest (HEAD).

This is a potential privacy issue because some names can be leaked.

Getting the tree for every historical commit is expensive. The solution should include caching of all trees or just their diffs. This is not a quick change.