Skipped packages don't get printed if there are no vulnerabilities found

[tetsuo-cpp]

Bug description

If an audit doesn't find any vulnerabilities, the packages that got skipped don't get displayed.

Reproduction steps

1. Make a requirements.txt that contains only a_package_that_doesnt_exist==0.1.
2. Run pip-audit -r requirements.txt.
3. Notice that the audit does not print the skipped package.

Expected behavior

Even if no vulnerabilities are found, we should still be printing skipped packages in the audit summary as this is useful information.

Platform information

• OS name and version: macOS 12.0.1
• pip-audit version (pip-audit -V): 1.1.0
• Python version (python -V or python3 -V): 3.9.7
• pip version (pip -V or pip3 -V): 21.3.1

[woodruffw]

Yeah, I think we have to generally re-evaluate how we handle output. Some currently confusing aspects:

• Our JSON output includes a manifest of all dependencies (not just vulnerable ones), but we don't emit any JSON if we don't find at least one vulnerability.
• CycloneDX's JSON schema doesn't currently support vulnerability information, but we don't currently document or warn about that anywhere. We should probably print at least a WARNING message and add a note to the README somewhere.

[woodruffw]

(All of these are breaking changes in the semver sense, so they should all be bucketed under a 2.0.0 release. But versions are free, so we shouldn't let that stop us!)