MINOR: document how we deal with advisories for dependencies

[raboof]

trafficstars

We get questions about advisories in dependencies on a regular basis, often in the form of security scanner tool output. Because of the high likelihood of false positives, the ASF policy is not to accept such reports as security issues without additional analysis: we consider the mere fact that an advisory exists for a dependency already public knowledge.

This update makes this clearer to reporters, helps them find out whether an advisory impacts Kafka for themselvels (by pointing to the dependency-check suppressions and the issue tracker), and calls on them to help out with analysis.

[bmscomp]

Thanks @raboof , can you put a description for detailing the purpose of this pull request ?

[divijvaidya]

cc: @mimaison @ijuma @showuon, I would also solicit your opinion on this one.

[raboof]

Thanks @raboof , can you put a description for detailing the purpose of this pull request ?

(updated the commit and PR message)

[mjsax]

@raboof @divijvaidya -- What is the status of this PR? Seems nothing happened for a while. Do we still plant to get this merged, or should we close it?

[divijvaidya]

I feel comfortable with the current wording on this PR. Will keep this open for another 3 days for others to chime in, else I will merge this one.