[Tracking issue] Demo Readiness

[ApolloUnicorn]

At our meeting 2023-11-15, we defined our demo target to be a CLI tool which does these four things:

1. scan dependencies used locally (from some combination of derivation graphs, metadata provided by nixpkgs) Related tickets:
   Creating the inventory of locally installed derivations #19

2. ingest some sort of vulnerability database(s) that are separate from the users configuration (these might be well-known upstream things like CVEs or new nix-ecosystem-specific databases)
   Related tickets:
   CVE feed ingestion nix-security-tracker#4
   Automatic updates and suggestions based on GitHub events nix-security-tracker#6
   Ingestion of evaluation results of any supported channel nix-security-tracker#8

3. match/align these two sorts of information (the config and the vulnerabilities) with fewer or more heuristics based on how "pre- cleaned-up" the information (meta and nix-specific database is cleaner, derivation graph and upstream database is messier)
   Related tickets:
   Triage CVEs using automatic suggestions nix-security-tracker#5

4. produce an output of those matches

[raboof]

For '2', I don't think we need Nix-Security-WG/nix-security-tracker#6, for 2 reasons: I think that is useful mainly for the 'make the results more actionable' task that we might include in the first milestone, and even if we do, perhaps this information should be provided as part of the feed created by the online tracker rather than by subscribing to the GitHub PRs directly from the local tool.