Feature: use the Scorecard REST API to retrieve the Scorecard result for dependency-diffs

[aidenwang9867]

Is your feature request related to a problem? Please describe.
In v0 of the Dependency-diff API (issue #2008), we run scorecard checks on every changed dependency to report its check results - and it could be very time-consuming and might easily reach the rate limiting when there is a large number of dependency changes.

Describe the solution you'd like
Use the incoming Scorecard REST API to retrieve the Scorecard result for dependencies statelessly to (1) save time, (2) reduce the token&API usage.

Additional context
This is a TODO introduced in PR #2046.

[aidenwang9867]

I gave the Scorecard REST API a try and it seems that it already contains many dependency packages - which is great to know! However, since the returned object of GET /projects/{platform}/{org}/{repo} is a JSON object of the repository's ScorecardResult, whereas the DependencyCheckResult structure contains a ScorecardResult rather than a JSON one. We might need some conversion for the API to be used in dependency-diff.

[naveensrinivasan]

@aidenwang9867 Are you planning to work on this?

[aidenwang9867]

@aidenwang9867 Are you planning to work on this?

I think I can take this part (changing the running Scorecard mode to query from the REST API) if needed. I don't have much workload at school these days. What's our current plan for this feature? @azeemshaikh38 @laurentsimon

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[github-actions]

This issue has been marked stale because it has been open for 60 days with no activity.

[spencerschrock]

#2008 (comment)