Dependency-diff Visualization in Action (version 0 part 1)

[aidenwang9867]

This PR introduces the v0, p1 of my design Dependency-diff Visualization:

1. definitions of structures Dependency and Vulnerability;
2. functions that fetch the dependency-diffs from the GitHub Dependency Review API and parse them into markdown strings.

Which issue(s) this PR fixes
The entire design will address the Scorecard issue #2008, in which the v0 addresses 1. fetch dependency-diffs using the GitHub Dependency Review API and 3. parse and visualize the raw dependency-diff results to the PR comment (without detailed vuln info and vuln scores).

Current behavior
The current Scorecard Action only reports the Scorecard results for the repository under analysis. This design will surface Scorecard results for the arriving dependencies in new pull requests.

New behavior of Version Zero (user-facing changes)
With Version Zero, users can see the visualized results of dependency changes in the PR comment section every time they commit their code to a GitHub pull request to the default branch. Detailed dependency changes will be shown, including the dependency change type (added, updated, or removed), the dependency package ecosystem, name, and version. Furthermore, with GitHub Security Advisory (GHSA) as the threat intelligence source, users can view vulnerability information of vulnerable dependencies following its reference link.

Here’s a quick example of what Version Zero looks like.

[naveensrinivasan]

@aidenwang9867 Thanks! Could you please provide a brief overview as to what will Version 0 address?

[aidenwang9867]

@aidenwang9867 Thanks! Could you please provide a brief overview as to what will Version 0 address?

np, will update it later in the PR description :D

[aidenwang9867]

close this PR, move the code to the scorecard repo
@naveensrinivasan @laurentsimon @azeemshaikh38