Check for CVEs in Go sources including vendored modules

[jfkw]

The tool govulncheck "reports known vulnerabilities that affect Go code". Add a feature to obs-service-go_modules to run govulncheck, checking the application source and vendored modules.

Package govulncheck is already in openSUSE Factory (devel:languages:go/govulncheck).

Feature goals:

• Report govulncheck output as plaintext in the build log for this initial version.

• Run govulncheck by default, but do not break the Go application build based on a positive CVE report or other error at this time. A separate feature implemented later to parse JSON output can opt-in to break the build based on the CVE matching certain platform data e.g. GOOS and GOARCH. We need some operating experience with govulncheck, the https://vuln.go.dev/ service reliability and fields available in the output before it will be practical to enable a build-breaking mode.

• Allow running only the govulncheck step without forcing re-vendoring Go applications which use a populated vendor/ directory committed into the upstream repository. Re-vendoring is normally recommended to ensure consistency, but it should be possible to skip if circumstances require doing so.

• Soft dependency on govulncheck package, possibly becoming a hard dependency only after package is accepted into all relevant repositories. If the tool is unavailable, report that and exit.

Assigning to myself.