Add sobelow SAST analyzer

What does this MR do?

This MR adds an analyzer that does ~sast detection on elixir phoenix projects. sobelow can also handle ~"dependency scanning" however that is disabled in this tool via module-loading.

A couple notes:

1. Vulnerabilities are not well normalized, so the unique key I'm using is a slug of the function_type, used internally to identify a vulnerability category. This will be a list we have to maintain unfortunately.
2. sobelow lineNumbers report the affected function location not the vulnerability location. If we'd prefer to drop these as their misleading, we can.
3. Config module has some useful vulnerability detections however the exposed data is pretty vague and would require file traversal to identify the router.ex file (it's hardcoded within sobelow currently but could change). I think this would be a useful enhancement to detect things like secure headers, CSRF, etc, but will require more significant work.
4. I generated the fixtures using the standard mix phx.new sample_app --no-ecto --no-webpack scaffolding command. This might be overkill for the test expectations and I could prune off all the unneeded files but I was mixed on whether it should reflect a real app. That said, the test project should work fine for that.

What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab-ee/issues/9399

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/10527
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer