[Experiment] Populate child dependencies for Bundler graphs

[brrygrdn]

What are you trying to accomplish?

Note

First, go review: #12816

The Gemfile.lock is the only place we can tell the dependencies of a dependency, but fortunately that's the only file we really need to submit, so let's make that change first

When we process a lockfile, we iterate over the file's Bundler::LazySpecification objects which knows the direct descendants of that package but we don't currently attach this to the Dependabot::Dependency object we return.

This PR establishes the pattern of using metadata[:depends_on] key to return a list of dependent names that we can use when we are building graphs for the project.

Anything you want to highlight for special attention from reviewers?

I elected not to add a new attribute to Dependabot::Dependency or its constructor and just use the metadata hash as this is, well, metadata.

We might decide to promote this later, but I'd rather revisit that after doing a few ecosystems so we have a better idea of what logic we want to push into base classes, etc with a few examples under our belt.

How will you know you've accomplished your goal?

We start seeing dependency relationships reflected in Dependency Insights when we use our experiment to submit a snapshot, and we're also able to see transitive paths in Dependabot Alerts when a vulnerable version is involved.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.