NPM utilize package-lock.json or yarn.lock for packages if node_modules not present

[awoodobvio]

Had a tough time getting this plugin to work since we don't scan our code base with sonarqube with node_modules present. Our other license scanner uses package-lock.json or yarn.lock and was hoping this one would do the same.

Workaround: make sure npm ci or yarn install was called prior to running sonar-scanner.

[awoodobvio]

Would be good to at least get the list of packages and have them be "unknown" licenses if you can't infer (package-lock.json seems to have license information in the later versions, but yarn-lock doesn't). I'd rather have a quality gate fail than pass.