fcli ssc appversion-artifact download: Include externalmetadata.xml in downloaded FPR files

[rsenden]

When downloading the current state FPR file through the SSC web UI, the FPR file contains externalmetadata.xml. When downloading the current state FPR file using fcli, the FPR file does not contain externalmetadata.xml. Ideally, the FPR file downloaded by fcli should include externalmetadata.xml for use by client-side tools like Audit WorkBench.

Both the SSC web UI and fcli use the same SSC endpoint for downloading the FPR file, but the SSC web UI adds an undocumented clientVersion request parameter that results in externalmetadata.xml being included in the FPR file. We need to engage with SSC engineering team to get more information on this undocumented parameter, like what values can be passed in this parameter, and whether there are any other side-effects other than externalmetadata.xml being included in the FPR file.

As fcli doesn't follow product versioning scheme, sending the fcli version number to SSC doesn't make much sense and may cause issues, so we'd need to find a way to send a proper product version number. Question is what version number to use, and how this influences FPR generation. For example, should we just use a hardcoded version number, or query SSC for the current version number. The latter would require SSC to provide an endpoint to retrieve the version number, which should be accessible by all users and all/most SSC token types.