base image impact

[cgwalters]

Nice tool!

One enhancement I think we could make here is to generalize this to something like: "package impact" - specifically other axes/metrics I think are relevant:

• size (trivial to compute)
• update frequency (Obviously data exists, but is a bit more work to collate)
• RHEL ACG level (Data exists, I assume in some programmatic form)
• "system architecture affect": This one is vague but in https://gitlab.com/fedora/bootc/tracker/-/issues/36#note_2093041741 I gave the example of cloud-init where it has a huge affect on the system mechanics. (No machine readable data exists that I know of)

I could imagine tweaking things slightly here such that we help offer a tool which aids folks in gauging the overall "impact" of the presence of a package. Its CVE load is a big one, but not the only one.

[vrothberg]

👍 open to suggestions and PRs for sure :)

I focused on CVE count only since that's what I needed but the feedback suggests the tool may be useful on a bigger scale than I have imagined.