Constrain Python requirements recursive includes to the scan root

[Omar-Khaleel]

This change prevents Python requirements recursive includes (-r / --requirement) from resolving outside the configured scan root through repository symlinks.

Previously, a requirements file inside the scan root could include -r deps/requirements.txt, where deps is a repository symlink resolving outside the scan root. The extractor would follow the include and attribute dependency metadata from the outside-root file to the scanned project.

This change validates recursive include targets against the scan root after symlink resolution. Include targets that resolve outside the scan root are skipped. In-root recursive includes continue to work.

Regression tests cover:

• recursive include through a symlink that resolves outside the scan root
• normal in-root recursive include behavior

Tested with:

go test ./extractor/filesystem/language/python/requirements -count=1 -v

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.