Currently, OSV-SCALIBR doesn't provide any defaults / distinction for the sets of extractors to enable in source vs context context.

For example, if all extractors were enabled, we'd potentially get false positive matches when scanning a container because we'd pick up source manifest files (e.g. package-lock.json) that aren't actually installed.

We should provide an easy way for users to select which context they're running in and the set of extractors that apply to that context.