benchmarks: moves dependency scope to test

[codefromthecrypt]

This moves the dependency scope of all JMH dependencies to test. This classifies them more accurately as test dependencies, which automatically excludes them from Trivy output.

Following aquasecurity/trivy#6213, we have a completely clean run, so no more complaints about old spring etc.

$ ../trivy/main repo .
2024-03-05T14:03:21.104+0800	INFO	Vulnerability scanning is enabled
2024-03-05T14:03:21.104+0800	INFO	Secret scanning is enabled
2024-03-05T14:03:21.104+0800	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-05T14:03:21.104+0800	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-03-05T14:05:38.862+0800	INFO	Number of language-specific files: 66
2024-03-05T14:05:38.862+0800	INFO	Detecting pom vulnerabilities...

maven-shade-plugin doesn't really like this setup, despite having a shadeTestJar flag, I was unable to get any configuration to work which included dependencies. The easier path was to declare a maven assembly for what is a generic test jar (including dependencies), and then use the assembly plugin instead of shade. This exact setup can be copy/pasta'd to any of our other projects.

At the end of the day, the same jar as before is created, so instructions are the same. The main con is that that jar is bigger as it also includes default test deps like assertj. However, I feel trying to be precise on this is a cure worse than the disease as few if any use this thing anyway.

[codefromthecrypt]

ps the docs are the same as before except fixing this glitch. in the parent pom, the benchmarks module is removed when -DskipTests, so basically it was a broken doc.