Guided Remediation: Add manifest resolution

[michaelkedar]

Starting to make guided remediation public #352 🎉

This PR has the code used to resolve the dependency graph of a manifest (i.e. a package.json) using the deps.dev resolvers and find vulnerabilities within it.

Doesn't include the code to actually parse/write package.json files - will probably add that in the next PR.

Much of this has been reviewed internally already, but I've made some significant changes/refactoring to dependency_chain.go and the computeVulns() function in resolve.go, so please take a more careful look at those.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (0d45974) 79.67% compared to head (4f7a3c0) 79.72%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #757      +/-   ##
==========================================
+ Coverage   79.67%   79.72%   +0.04%     
==========================================
  Files          89       89              
  Lines        6145     6145              
==========================================
+ Hits         4896     4899       +3     
+ Misses       1045     1043       -2     
+ Partials      204      203       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cuixq]

🎉

[another-rex]

What's a good way to test this manually before we get automated tests?

[oliverchang]

What's a good way to test this manually before we get automated tests?

Re tests, it would be easiest to run the internal version for now. Check with @michaelkedar on this.

[michaelkedar]

Yeah, manually testing this as-is would be clumsy - you have to manually fill in the Manifest struct.