Feature: facilitate the Scorecard run for the dependency-diff API/CLI

[aidenwang9867]

Is your feature request related to a problem? Please describe.
The v0 of the Dependencydiff API/CLI (PR #2046/PR #2077) runs pretty slow since we are running scorecard checks on every dependency with a valid srcRepo URI. The REST Scorecard API will be a good solution, see issue #2064. However, before that comes out in production, is there anything else we can do for now?

Describe the solution you'd like
I am considering whether we should add a Parallel() support for the scorecard running on dependencies. It might depend on what kind of interface we would like to provide in the REST Scorecard API to return the check results for package(s): using a list of packages/repos as the input all together vs. using one package/repo as the input at a time. @laurentsimon Am I understanding this issue and solution correctly?

Describe alternatives you've considered
An alternative temporary solution for the CLI could be:

We give users an option (YES/NO) to ask if they would like to continue when there are more than, for example, 20+ dependencies to check . Also, we tell them since this is still an experimental feature, the running time could be slow as the number of dependency changes increases.

Additional context
@azeemshaikh38 @naveensrinivasan wdut?

[laurentsimon]

Describe the solution you'd like I am considering whether we should add a Parallel() support for the scorecard running on dependencies. It might depend on what kind of interface we would like to provide in the REST Scorecard API to return the check results for package(s): using a list of packages/repos as the input all together vs. using one package/repo as the input at a time. @laurentsimon Am I understanding this issue and solution correctly?

in general running in parallel is useful now.
If the REST API can return result for several dependencies at once, then we won't need it for the integration with REST API. @azeemsgoogle what's the plan?

I would suggest running the current calls to scorecard in parallel, since it's very little code to change.

**Describe

[naveensrinivasan]

Describe the solution you'd like I am considering whether we should add a Parallel() support for the scorecard running on dependencies. It might depend on what kind of interface we would like to provide in the REST Scorecard API to return the check results for package(s): using a list of packages/repos as the input all together vs. using one package/repo as the input at a time. @laurentsimon Am I understanding this issue and solution correctly?

in general running in parallel is useful now. If the REST API can return result for several dependencies at once, then we won't need it for the integration with REST API. @azeemsgoogle what's the plan?

I would suggest running the current calls to scorecard in parallel, since it's very little code to change.

**Describe

REST API won't return results for multiple dependencies as of now. @azeemshaikh38 Am I, right about this?

[azeemshaikh38]

Not a good idea to run Scorecard in parallel (in the case where Scorecard is being calculated and not retrieved from some pre-computed API) - the token usage can get pretty expensive and will likely trigger GitHub's secondary rate limits.

If the REST API can return result for several dependencies at once

There is no plan for such batched access. Users will need to do this on their end if needed.

[aidenwang9867]

Close this issue since there are no good optimization solutions for this. Let's keep it as an experimental feature for now ;-)