Allow Dependency Scanner to scan for and report vulnerabilities in CGO sources
Proposal
A GitLab Ultimate customer recently reported that a Go vulnerability (CVE-2023-7104) was not reported by GitLab's scanner.
Currently, we only detect the Go modules that are used in the final binary, and do not scan for vulnerable CGO sources.
It's possible for the source files to be vendored into the project but it's also possible for them to be linked against the libraries provided on the build platform. In the latter, our scanner currently is not able to detect this. This request proposes that our scanner be able to detect vulnerabilities in CGO sources, as well.