Support Vulnerability Disclosure Report (VDR) in SBOM reports

We already have a feature to generate Cyclone DX SBOMs for GitLab projects. These reports could be enhanced with data about known and previously known vulnerabilities affecting the product.

From https://owasp.org/blog/2023/02/07/vdr-vex-comparison.html:

What is VDR?

VDRs are an attestation of all vulnerabilities affecting a product, or its dependencies, along with an analysis of the impact. VDRs may come from a software supplier or a third party. NIST SP 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations defines VDR as:

Enterprises, where applicable and appropriate, may consider providing customers with a Vulnerability Disclosure Report (VDR) to demonstrate proper and complete vulnerability assessments for components listed in SBOMs. The VDR should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component or product. The VDR should also contain information on plans to address the CVE. Enterprises should consider publishing the VDR within a secure portal available to customers and signing the VDR with a trusted, verifiable, private key that includes a timestamp indicating the date and time of the VDR signature and associated VDR.

In summary, a VDR should contain:

• All vulnerabilities affecting a product or its dependencies
• Analysis describing the impact (or lack thereof) that a reported vulnerability has on a product or dependency
• Plans to address the vulnerability
• Signing the VDR with a trusted, verifiable, private key that includes a timestamp indicating the date and time of the VDR signature

Proposal

Provide Vulnerability Disclosure Report (VDR) reports along with our SBOMs.