add flag to toggle getting deps.dev dependencies

[mdeicas]

Description of the PR

Adds the flag retrieve-deps to guaccollect. When set to false, the deps.dev collector only queries for metadata (scorecard and source) and not for dependencies. The default setting is true.

Also, a log message (level info) was added to log when the dependencies for a package are retrieved.

Fixes #1359.

Behavior

After starting Guac and ingesting an SBOM, running guaccollect deps_dev --retrieve-dependencies=false does not lead to any new IsDependency nodes appearing and results in logs look like

{"level":"info","ts":1696975519.9959376,"caller":"deps_dev/deps_dev.go:197","msg":"obtained additional metadata for package: pkg:golang/4d63.com/gocheckcompilerdirectives@v1.2.1"}
{"level":"info","ts":1696975520.0867465,"caller":"deps_dev/deps_dev.go:197","msg":"obtained additional metadata for package: pkg:golang/4d63.com/gochecknoglobals@v0.2.1"}
{"level":"info","ts":1696975520.166465,"caller":"deps_dev/deps_dev.go:197","msg":"obtained additional metadata for package: pkg:golang/github.com/4meepo/tagalign@v1.3.2"}
{"level":"info","ts":1696975520.2557125,"caller":"deps_dev/deps_dev.go:197","msg":"obtained additional metadata for package: pkg:golang/github.com/Abirdcfly/dupword@v0.0.12"}
...

Running guaccollect deps_dev instead results in the normal expected behavior: dependencies are ingested and the logs indicate both metadata and dependency retrievals.

PR Checklist

• All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
• All new changes are covered by tests
• All CI checks are passing (tests and formatting)

[pxp928]

Overall looks good! Just a comment to maybe speed up the retrieval process.

[naveensrinivasan]

@mdeicas This is cool! Thanks for taking the feedback and reusing the existing code.

[pxp928]

@mdeicas just need a rebase