🌱 Add utils for retrieving data about project dependencies

[AdamKorcz]

What kind of change does this PR introduce?

new feature
(Is it a bug fix, feature, docs update, something else?)

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

Currently, Scorecard cannot reason over dependencies in lock files.

What is the new behavior (if this is a feature change)?**

This adds utilities for reasoning over dependencies in lock files. Specifically, it adds support for the following files:

1. package-lock.json
2. package.json
3. pom.xml
4. go.mod
5. requirements.txt

The goal is over time to add support for more file types. osv-scalibr parses a lot more formats, however, it does not parse the dependencies of all formats that we need. I would like to work on adding this to osv-scalibr as it seems like a win for osv-scalibr and a win for Scorecard to have that there. It have started identifying missing pieces in google/osv-scalibr#907.

In addition, this PR adds a utility function for comparing the version of a dependency against the definition of another. This is important for implementing #2458 and gives a good picture of how I will solve this probe. Here is an overview:

1. This PR helps with getting the dependencies that projects declare.
2. 🌱 implement GetPackage for depsdev client #4697 helps with all versions of the dependencies that the project under analysis declares.
3. Later, we can add a routine that loops through the last N commits of the project under analysis and retrieve when the project updated its dependencies. We will then compare that against the data from Deps.dev that describes when the depencies issued new version, and we have the answer to when the project updates its dependencies relative to when a new version is available.

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

This is part of ongoing work on #2458

Other PRs in this ongoing work are:

1. 🌱 implement GetPackage for depsdev client #4697

Special notes for your reviewer

Does this PR introduce a user-facing change?

NONE (yet).

Currently, the code is not exposed in any user-facing functionality and as such is dead code. The goal is to get these dependency parsing routines to cover a wide range of ecosystems (we can get a lot from using osv-scalibr: https://github.com/google/osv-scalibr/tree/main/extractor/filesystem/language) and then expose this in a probe for #2458.

[codecov]

Codecov Report

❌ Patch coverage is 66.95652% with 38 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.29%. Comparing base (353ed60) to head (caa6ec3).
⚠️ Report is 216 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4711      +/-   ##
==========================================
+ Coverage   66.80%   68.29%   +1.48%     
==========================================
  Files         230      250      +20     
  Lines       16602    19013    +2411     
==========================================
+ Hits        11091    12984    +1893     
- Misses       4808     5160     +352     
- Partials      703      869     +166     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[AdamKorcz]

Adding support for this can also help with #1174

[github-actions]

This pull request has been marked stale because it has been open for 10 days with no activity

[github-actions]

This pull request has been marked stale because it has been open for 10 days with no activity

[github-actions]

This pull request has been marked stale because it has been open for 10 days with no activity