fix: QA-02.01 to return NeedsReview

[trumant]

This change closes issue #145 by updating the evaluation logic to recognize that not all repositories will have enabled the GitHub dependency graph and the setting is not enabled by default.

Therefore, the absence of this data in a repository is not a clearcut failure, but rather a mixed signal. As such, the evaluation now returns NeedsReview rather than Failed in cases where the API indicates no dependency management.

This change was tested with the result:

- requirement-id: OSPS-QA-02.01
  applicability:
    - Maturity Level 1
    - Maturity Level 2
    - Maturity Level 3
  description: When the package management system supports it, the source code repository MUST contain a dependency list that accounts for the direct language dependencies.
  result: Needs Review
  message: No dependency manifests found in the GitHub dependency graph API. Review project to ensure dependencies are managed.
  steps:
    - github.com/revanite-io/pvtr-github-repo/evaluation_plans/osps/quality.verifyDependencyManagement
  steps-executed: 1
  start: "2025-09-21T14:09:04-04:00"
  end: "2025-09-21T14:09:04-04:00"

[kusari-inspector]

Kusari Analysis Results:

✅ No Flagged Issues Detected
All values appear to be within acceptable risk parameters.

No pinned version dependency changes, code issues or exposed secrets detected!

Note

View full detailed analysis result for more information on the output and the checks that were run.

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: d523c93, performed at: 2025-09-21T18:10:15Z

Found this helpful? Give it a 👍 or 👎 reaction!