Providing an up-to-date and searchable repository/database for CVEs

As illustrated in this issue, GitLab's dependency scanner gitlab-depscan which is being used in the omnibus build process relies on the public cve-search.org API available at cve.circl.lu/api which has been partially shut down recently.

To avoid these problems in the future, we could setup our own searchable CVE database.

Proposal

gitlab-depscan searches only for dependency name and version where the term "depenency" does refer to a GitLab OS/Infra dependency (e.g., nginx) as opposed to a package/dependency in the context of dependency scanning which is the reason why we cannot use the GitLab Advisory Database in this case.

As part of an MVC, we could replace cve-search.org with a git repository that contains an index that links CPEs (product/version) to the corresponding CVEs. In gitlab-depscan, instead of collecting data from the cve-search.org API through cve.circl.lu/api, we could pull the git repo with the most recent index and grep for product, version.

Maybe we could even simplify this further because we already know upfront what the dependencies of GitLab are, so we could build a CPE map (CPEs we are potentially interested in) and only look for the corresponding CVEs.

/cc @d0c-s4vage @idawson @mark.art @tstadelhofer @stkerr @dappelt @joernchen