Code review comment for ~ebarretto/ubuntu-cve-tracker:new-pkg-cache

LGTM! Thanks for this :)

A couple of side notes:

* As the cache-dir is mandatory for the script to run, I would change that to be a mandatory CLI argument. From a different perspective, we could specify some directory as the default one (somewhere in UCT) and allow the user to select an alternative one. If we consider this as a replacement for source_map, we should have a default.

* Regarding "if a package is removed during devel cycle, it still will show up in the pkg cache", we could include the source package status as a new key in the structure. That would allow the tooling to quickly retrieve only the Published packages but still retain the information regarding other statuses for OVAL.