feat: Add tracking-calculator to gosec

What does this MR do?

Adds tracking-calculator to gosec image

This method is a bit of a departure from the way we built the image for brakeman, but I think it should be a bit more DRY as we build out other analyzers around the same scripts and tooling process. Happy to take thoughts/impressions.

Depends on https://gitlab.com/gitlab-org/security-products/post-analyzers/tracking-calculator/-/merge_requests/10

Usage

❯ pwd
/Users/theoretick/code/gl/security-products/tests/go-modules

❯ docker run -it --rm --volume "$PWD":/tmp/project --env CI_PROJECT_DIR=/tmp/project --env GITLAB_FEATURES=vulnerability_finding_signatures analyzer
[INFO] [Gosec] [2021-05-04T22:43:06Z] ▶ GitLab Gosec analyzer v2.20.1
[INFO] [Gosec] [2021-05-04T22:43:06Z] ▶ Detecting project
[INFO] [Gosec] [2021-05-04T22:43:06Z] ▶ Found project in /tmp/project

[INFO] [Gosec] [2021-05-04T22:43:06Z] ▶ Running analyzer
[INFO] [Gosec] [2021-05-04T22:43:06Z] ▶ Copying modules into path...
[INFO] [Gosec] [2021-05-04T22:43:06Z] ▶ Fetching dependencies...
[INFO] [Gosec] [2021-05-04T22:43:10Z] ▶ Running gosec...
[INFO] [Gosec] [2021-05-04T22:43:11Z] ▶ Creating report
running post analyzer
[INFO] [2021-05-04T22:43:11Z] ▶ /tmp/project/gl-sast-report-post.json written

❯ cat gl-sast-report.json| jq '.vulnerabilities | map(.tracking)'
[
  {
    "type": "source",
    "items": [
      {
        "file": "main.go",
        "line_start": 14,
        "line_end": 14,
        "signatures": [
          {
            "algorithm": "scope_offset",
            "value": "main.go|main[0]:1"
          }
        ]
      }
    ]
  },
  null,
  {
    "type": "source",
    "items": [
      {
        "file": "main.go",
        "line_start": 16,
        "line_end": 16,
        "signatures": [
          {
            "algorithm": "scope_offset",
            "value": "main.go|main[0]:3"
          }
        ]
      }
    ]
  },
  {
    "type": "source",
    "items": [
      {
        "file": "main.go",
        "line_start": 22,
        "line_end": 22,
        "signatures": [
          {
            "algorithm": "scope_offset",
            "value": "main.go|main[0]:9"
          }
        ]
      }
    ]
  }
]

What are the relevant issue numbers?

gitlab-org&5144

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer