Implement plugin architecture for CVE check

This change adds a plugin feature to the CVE check.
The plugin feature makes adding new CVE data sources easier than the
current implementation.

* Basic Specification

** Plugin directory and naming rule

Plugins are stored in scripts/lib/python/cve/plugin/ within a layer.
Plugin names should use the following format:

```
eml_cve_<your plugin name>_plugin.py
```

e.g. scripts/lib/python/cve/plugin/eml_cve_myplugin_plugin.py

** Import path

The plugin's base class and libraries are in meta-emlinux/scripts/lib/python,
so plugins need to import libraries from this directory.
For example, implementing your plugin must include the following line:

```
from lib.python.cve.plugin.eml_cve_plugin_base import EmlCvePlugin
```

** Plugin priority

Each plugin has its own priority number. For the priority number, 1 is the lowest.
This number is used to decide if a CVE is patched or unpatched if plugins
have different CVE check results. For example, if PLUGIN-A (priority 1)
states CVE-1111-1111 is patched but PLUGIN-B (priority 10) states it is
unpatched, we adopt PLUGIN-B's analysis result because PLUGIN-B has a higher
priority than PLUGIN-A.

** Base class

The EmlCvePlugin class is the base class for plugins.
This class contains two methods that plugins should implement:
- update_database
- run_check

The update_database function updates the CVE database. The run_check function
executes the CVE check and should return an instance of the
CveCheckResultList class, which stores the CVE analysis results.

** CVE check result

The CVE check result is stored in the CveCheckResult class.
This class stores the following data:
- CVE ID
- Source package name
- Patched/Unpatched status

The CveCheckResultList class stores CveCheckResult instances.
When creating an instance of CveCheckResult, you should add it to the
CveCheckResultList class.

** CVE vendor and product

CVE vendor and product information is stored in the CveProductList class.
To get this information, use the _get_cve_products_from_source_package_name
function in the EmlCvePlugin class.

You can use these data like this:

```
cve_product =
self._get_cve_products_from_source_package_name(src_pkg_name)

for cve_product in cve_products:
    vendor = cve_product.vendor
    product = cve_product.product
```

** Installed package information

Installed package information is stored in the PackageInfoList class.
This class is iterable and returns source package names.

```
for src_pkg_name in self.installed_packages:
    data = self.installed_packages[src_pkg_name]
```

** Common library

Common functions are implemented in lib.py. One useful function
is the check_affected function, which checks if a given version is affected.
This function uses the LooseVersion class to compare versions.

** Logging

Add the following lines to your code to use the logger class:

```
import logging
logger = logging.getLogger("emlinux-cve-check")
```

* Improvements from current CVE check

** Support multiple types in the product list YAML file

The current CVE check feature supports the following format:

```
package:
  - vendor
  - product
```

The new CVE check feature supports dictionary style and lists containing
dictionaries:

```
packageA:
  - vendor
  - product
packageB:
  -
    vendor: vendor name
    product: product name
  -
    vendor: another vendor name
    product: another product name
```

In the yaml file, product attribute should exist but vendor attibute is
optional. This specification is based on poky's cve-check.bbclass.

** Add options for debugging

Checking CVEs with cve_check_ng.py takes command-line options similar to
cve_check.py. However, some options have been added for debugging:

- skip-update: Skips the database update process.
- target-source-package: Checks only the given source package.
- dpkg-status-file: Uses a specified .dpkg_status file instead of the
  default file in the ${DEPLOY_DIR_IMAGE} directory.

Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>

Author: masami256

docker/Dockerfile

@@ -76,6 +76,7 @@ RUN bash -c 'if test -n "$no_proxy"; then git config --global core.noproxy "$no_
 RUN pip install --user 'cyclonedx-python-lib>=7.3.2,<=7.5.1' --break-system-packages --no-warn-script-location
 RUN pip install --user jsonschema==4.21.1 --break-system-packages --no-warn-script-location
 RUN pip install --user spdx-tools==0.8.2 --break-system-packages --no-warn-script-location
+RUN pip install --user looseversion==1.3.0 --break-system-packages --no-warn-script-location
 
 RUN mkdir work
 WORKDIR /home/build/work