Add list of resolved vulnerabilities to the PR Comment / Logs

[felickz]

Not all here is a negative outcome, give developers a pat on the back when they are removing vulnerabilities by upgrading or removing packages (or their transitive dependencies). Consider adding to the PR summary and workflow logs the list of vulnerabilities that have been removed. This will be a great view to show when there are no outstanding open vulnerabilities and just a list of removed - the workflow we would expect most to take when iterating through resolving the issues that dependency-review-action highlights on a PR 🎉 !

The dependency review api will return the list of vulnerabilities on removed packages, so we should have this data

{
  "change_type": "removed",
  "manifest": "docs/package-lock.json",
  "ecosystem": "npm",
  "name": "tough-cookie",
  "version": "2.4.3",
  "package_url": "pkg:npm/tough-cookie@2.4.3",
  "license": "BSD-3-Clause",
  "source_repository_url": "https://github.com/salesforce/tough-cookie",
  "scope": "development",
  "vulnerabilities": [
    {
      "severity": "moderate",
      "advisory_ghsa_id": "GHSA-72xf-g2v4-qvf3",
      "advisory_summary": "tough-cookie Prototype Pollution vulnerability",
      "advisory_url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3"
    }
  ]
}

The only concerning points I can find here:

• if there is still usage of this package/vulnerability elsewhere in another manifest- the per package vulnerability view might give a false sense of removing the vulnerability across the entire repo. If we show them grouped per package as the pr comment/logs already do, then this should be a minor concern.
• Updating a package to a new version might resolve a vulnerability but pull in new ones - this is shown as a removed and then an added for the new version

Example Update that both adds and removes vulns

gh api /repos/octodemo/demo-vulnerabilities-ghas/dependency-graph/compare/c48a4c7abca9270ddac57bbf0bffcdc07cddc4d0...48fac5a62790ad358d078af647a0d53da6874ecb | jq '.[] | select(.name=="tar")'

{
  "change_type": "added",
  "manifest": "docs/package-lock.json",
  "ecosystem": "npm",
  "name": "tar",
  "version": "2.2.2",
  "package_url": "pkg:npm/tar@2.2.2",
  "license": "ISC",
  "source_repository_url": "https://github.com/isaacs/node-tar",
  "scope": "development",
  "vulnerabilities": [
    {
      "severity": "high",
      "advisory_ghsa_id": "GHSA-3jfq-g458-7qm9",
      "advisory_summary": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization",
      "advisory_url": "https://github.com/advisories/GHSA-3jfq-g458-7qm9"
    },
    {
      "severity": "high",
      "advisory_ghsa_id": "GHSA-5955-9wpr-37jh",
      "advisory_summary": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization",
      "advisory_url": "https://github.com/advisories/GHSA-5955-9wpr-37jh"
    }
  ]
}
{
  "change_type": "removed",
  "manifest": "docs/package-lock.json",
  "ecosystem": "npm",
  "name": "tar",
  "version": "2.2.1",
  "package_url": "pkg:npm/tar@2.2.1",
  "license": "ISC",
  "source_repository_url": "https://github.com/isaacs/node-tar",
  "scope": "development",
  "vulnerabilities": [
    {
      "severity": "high",
      "advisory_ghsa_id": "GHSA-j44m-qm6p-hp7m",
      "advisory_summary": "Arbitrary File Overwrite in tar",
      "advisory_url": "https://github.com/advisories/GHSA-j44m-qm6p-hp7m"
    },
    {
      "severity": "high",
      "advisory_ghsa_id": "GHSA-3jfq-g458-7qm9",
      "advisory_summary": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization",
      "advisory_url": "https://github.com/advisories/GHSA-3jfq-g458-7qm9"
    },
    {
      "severity": "high",
      "advisory_ghsa_id": "GHSA-5955-9wpr-37jh",
      "advisory_summary": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization",
      "advisory_url": "https://github.com/advisories/GHSA-5955-9wpr-37jh"
    }
  ]
}