[feature] "GUAC Scorecard" for artifacts/packages

[pxp928]

Is your feature request related to a problem? Please describe.

With the new experimental REST interfaces being proposed, and based on some discussion around being able to get value out of GUAC while waiting for ingestion to complete (due to the lack of data from users, or that the process of ingestion of large amounts of data taking a while), we want to enable some use cases which will provide value to users that will provide instant value upon setup of GUAC and iteratively get better when more and more data gets ingested.

We discussed several options including:

• Do i have an SBOM, If so where does that SBOM live?
• What is my most widely used dependency
• Top level package “Scorecard” (for ossf scorecards, licenses, etc.)

This issue describes the third option.

Describe the solution you'd like

The third option can be thought of as having a "scorecard" of what we know and don't know for a specific package.

As SBOMs and other metadata are ingested into GUAC, we want to be able to get a good idea of what information we are missing for a specific package and if that needs to be remediated.

This can include:

1. Is there a SLSA attestation associated with the package?
2. Is there scorecard information associated with the package source?
3. are packages that we know nothing about (no SBOM, slsa attestation...etc)?
4. a package that includes a high number of vulnerable dependencies

The output should be a table/list with the packages to pay attention to as well as a list of problems that they have that are actionable (missing SBOMs or SLSA attestations). This list can then be used by a security operator or developer to triage.

Describe alternatives you've considered

Other alternatives to have issues opened up for:

• Do i have an SBOM, If so where does that SBOM live? ([feature] SBOM Dashboard for GUAC #1483)
• What is my most widely used dependency ([feature] What's the next actionable critical dependency? #1505)