separate risk index computation into configuration

[sbenthall]

Currently the risk index is computed with point values for code features hard coded into the script:

https://github.com/linuxfoundation/cii-census/blob/master/oss_package_analysis.py#L313

In the interest of having the risk index be something that can be trained based on scientific evaluation of open source communities, it would be better if these values were configurable rather than being hard-coded.

[david-a-wheeler]

Fair enough. Any particular preferences on how, or what format to use?

[david-a-wheeler]

Issue #40 may be a way to implement this - thoughts?

We expressly didn't using training algorithms because there's no "truth" value to train against. If there is such a dataset, I'd love to know about it.