Support for package metadata

[prabhu]

While working on a new risk scoring feature for dep-scan, I realized the need for a database for package metadata to prevent querying npm and pypi datasources for each invocation.

This perhaps will be a separate file with its own index to prevent the vulnerability database from becoming large. Separate flag will be added to perform package metadata fetching.