cve-check: add YAML output

This patch implements the YAML output for CVE-check and re-implements
the coverage pass using this format (also simplifies the logic).

Add an option to output the CVE check in a JSON-based format.
This format is easier to parse in software than the original
text-based one and allows post-processing by other tools.

Output formats are now handed by CVE_CHECK_FORMAT_TEXT and
CVE_CHECK_FORMAT_JSON. Both of them are enabled by default.

The JSON output format gets generated in a similar way to the
text format with the exception of the manifest: appending to
JSON arrays requires parsing the file. Because of that we
first write JSON fragments and then assemble them in one pass
at the end.

Until now the CVE checker was giving information about CVEs found for
a product (or more products) contained in a recipe. However, there was
no easy way to find out which products or recipes have no CVEs. Having
no reported CVEs might mean there are simply none, but can also mean
a product name (CPE) mismatch.

This patch adds CVE_CHECK_COVERAGE option enabling a new type of
statistics. Then we use the new JSON format to report the information.
The legacy text mode report does not contain it.

This option is expected to help with an identification of recipes with
mismatched CPEs, issues in the database and more.

This work is based on [1], but adding the JSON format makes it easier
to implement, without additional result files.

[1] https://lists.openembedded.org/g/openembedded-core/message/159873

This is a backported version of two patches submitted upstream:
https://lists.openembedded.org/g/openembedded-core/message/163745 and
https://lists.openembedded.org/g/openembedded-core/message/163746



The difference is that we bring back the yaml merge function that is
in the lib/ directory in the upstream proposal.

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>