🌱 Add probes to main call

[AdamKorcz]

What kind of change does this PR introduce?

Feature

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

What is the new behavior (if this is a feature change)?**

This is WIP to enable invoking probes via Scorecards main function.

Usage:
go run main.go --repo=github.com/ossf/scorecard --probes=notArchived,hasLicenseFile,hasOSVVulnerabilities --format=probe

Output (Manually pretty'ed):

{
  "date": "2023-11-20",
  "repo": {
    "name": "github.com/ossf/scorecard",
    "commit": "0276a7cd7284e077f22b50208345201485029fbd"
  },
  "scorecard": {
    "version": "",
    "commit": "unknown"
  },
  "findings": [
    {
      "probe": "notArchived",
      "outcome": 12,
      "message": "Repository is not archived."
    },
    {
      "probe": "hasLicenseFile",
      "outcome": 0,
      "message": "project does not have a license file",
      "remediation": {
        "text": "For Github projects, follow [this guide](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository) to determine which license to apply to your project and establish a license file for your project.\nFor Gitlab projects, create the license in a .adoc, .asc, .docx, .doc, .ext, .html, .markdown, .md, .rst, .txt, or .xml, named LICENSE, COPYRIGHT, or COPYING, and place it in the top-level directory. To identify a specific license, use an SPDX license identifier in the filename. Examples include LICENSE.md, Apache-2.0-LICENSE.md or LICENSE-Apache-2.0.\nAlternately, create a LICENSE directory and add a license file(s) with a name that matches your SPDX license identifier. such as LICENSES/Apache-2.0.txt.",
        "markdown": "",
        "effort": 1
      }
    },
    {
      "probe": "hasOSVVulnerabilities",
      "outcome": 12,
      "message": "Project does not contain OSV vulnerabilities"
    }
  ]
}

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

NONE

Special notes for your reviewer

Tests and formatting has not been done yet.

Does this PR introduce a user-facing change?

Yes

Users can run probes via the command line.

[codecov]

Codecov Report

Merging #3688 (41f2839) into main (db7b6e7) will decrease coverage by 5.73%.
The diff coverage is 43.58%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3688      +/-   ##
==========================================
- Coverage   76.41%   70.68%   -5.73%     
==========================================
  Files         214      214              
  Lines       14628    14803     +175     
==========================================
- Hits        11178    10464     -714     
- Misses       2779     3715     +936     
+ Partials      671      624      -47     

[AdamKorcz]

Most of the missing coverage is APIs in the ./cmd dir which do not have tests already.

[spencerschrock]

Overall, I think this works. The CLI flag is what we want --probes, we don't break the RunScorecard function signature, and the behavior seems to be what we want.

But man is this hacky and fragile. A lot of the reasons are due to probe implementation, so fixing it in a followup is probably needed, and I've left some notes for me to file issues.

For now, I'm just checking on a backward compatibility question, relating to renaming package import aliases.

[spencerschrock]

For now, I'm just checking on a backward compatibility question, relating to renaming package import aliases.

As expected, renaming imports is purely cosmetic, won't break anything.