Track CVEs for kubernetes dependencies...

[brendandburns]

Kubernetes has a very large number of golang library dependencies. While there is some work to track and ensure license compatability, there is little to know work done to track vulnerabilities in these library dependencies.

Indeed, I don't know of a database (something like https://ossindex.sonatype.org/) for go libraries that we could use. (perhaps the CNCF can help here...)

But the lack of tools and databases isn't an excuse.

We need to do a better job here of tracking, reporting and updating our dependencies to fix known relevant security issues.

And ultimately, we also need to do a periodic audit to make sure that we aren't importing vulnerabilities into the codebase.

@philips @spiffxp @kubernetes/steering-committee