Set version to "unknown" for packages without a version

What does this MR do?

"Invalid" dependencies are removed from the security report's dependencies list, but not from the dependency graphs causing an invalid iid reference. This MR brings the skipped dependency back and sets its version to unknown in order to pass the security report schema validation.

What are the relevant issue numbers?

Gemnasium analyzer can generate dependency_path... (gitlab-org/gitlab#415104 - closed) • Igor Frenkel • 16.10 • At risk

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer