Include source in dependency scanning reports

Proposal

By default, the source to install Ruby Gems is source 'https://rubygems.org'. This URL can be changed to something else, in which case AppSec will need to validate the new source.
Some gems are also forked sometimes, and while their name stays the same, the location to download them can vary with different git or http/https URLs. Not only do we need to validate that these URLs are secure (git and http are not), but it makes our job harder to find where some forks are being used.

Therefore, we need the source for each dependency to be reported in https://docs.gitlab.com/ee/api/dependencies.html (and GraphQL, but we don't use it at the moment).