Engineering discovery for auto remediate MVC

The goal of this issue is to have specs defined and the implementation details that will allow to implement https://gitlab.com/gitlab-org/gitlab-ee/issues/5656.

Nothing will be shipped as part of the product when this issue will be closed.

Goal

When dependency scanning finds a vulnerable dependency, it may report also a solution. For example, bumping the dependency version to a newer one. We already have this information available, but we are still not able to leverage it in an automated way.

We will start by focusing on a specific package manager, but we should try to find a generic approach that can be extended to other package managers as well.

Once we can access this information automatically, we should create a new branch and commit the needed changes. For example, a modified Gemfile.lock to change the version information.

A merge request is then required to merge the automatically created branch in the original branch, since we don't want to alter the original branch directly.

The technical steps are:

1. fetch the suggested solution from the vulnerability information
2. parse the solution to extract the action to take (e.g., update to version N)
3. map the solution to a sequence of changes that are able to fix the problem (e.g., search & replace in a file)
4. create a new branch in the repository
5. commit the new version of the version file (e.g., Gemfile.lock) to the new branch
6. create a merge request to merge the modified version into the original branch

What we need to figure out:

• Which package manager we want to address first
• How to understand if a vulnerability is eligible for remediation (metadata?)
• How to parse the solution to extract the actions (regex? tokens?)
• How to create the modified files (running a tool requires a runtime environment, but could be more maintainable)
• How to interact with the repository (create branch, commit new code, create a MR)