This PR simplifies the top-level client facing API.

The requirement for using an iterator of vulnerable nodes in ProjectReachability is dropped, allowing the user to design their own iteration logic and simplifying the use case of checking against a single vulnerable node.

Currently, the Project constructor requires users to specify the list of the packages that are available in the resolver, in addition to supplying the resolver itself. We should add support for enumerating packages in PackageResolver in order to remove the redundant argument passed to the Project::new constructor.

let package_resolver = PackageResolver::builder()
  .with_package("path-scurry", Package::from_tarball_path("./tarballs/path-scurry-1.6.1.tgz"))
  .with_package("lru-cache", Package::from_tarball_path("./tarballs/lru-cache-7.14.1.tgz"))
  .with_package("minipass", Package::from_tarball_path("./tarballs/minipass-4.0.2.tgz"))
  .build();
  
let project = Project::new(
  package_resolver,
  vec!["path-scurry", "lru-cache", "minipass"]
);

We should improve the crate's documentation so that the output of cargo doc makes it easy for library users to get started and figure out how to use it.

This is the research ticket for the 2023.8 sprint.

Current state

• We can traverse the graph for a whole project (defined as a root package + its transitive dependencies), determine whether a node is reachable, and find a call path to it.
• We have mostly stable serializable data structures for client usage.
• We have acceptable test coverage.

Work done in previous sprint

• Completed the cross-package reachability graph traversal. The real world example chosen (@redis/client) succeeds in finding the chosen vulnerable node.
• Refined the in-project graph traversal.
• Developed side-effect accesses detection.
• Built a small CLI (vuln-reach-cli).

Work planned for the sprint

• [ ] Finalize the serialization format and public facing API.
• [ ] Assess whether, as a result of introducing side-effect access identification, reachability in the root package is extended to all of its identifiers and not just its exports.

Work planned for future sprints

• Build a comprehensive benchmark with meaningful metrics to assess whether the model is performing as desired.
• Research the statistical distribution of vulnerabilities to assess the usefulness of the model (i.e. in % how many vulnerabilities show up as reachable/unreachable)
• Research ways of assessing whether vulnerabilities are definitely unreachable.
• Performance benchmark: filesystem/network access is anticipated to be a bottleneck.

We currently have test coverage for most features, but very small test fixtures.

We should improve coverage by building fake but sizable projects and test features against those.

We currently need to manually supply the source of the analyzed packages to the Project object.

We should devise a system to automate the discovery of packages in a variety of conditions.

See also #5.

The find_accessor method is responsible for determining what qualifies as an "access", and is the main driver of the statistical measurement errors of the reachability model.

On an ongoing basis, we should keep evaluating whether the concept of "access" that we use yields not enough, just right, or too many reachability paths.