GitLab

To match the new CLI structure, adjust the invocation to match it.

This will report invalid secfix entries, either because the version is
incorrect, or the vulnerability identifier is incorrect.

cobra is more flexible than the default flags package, and you can use
it to easily implement subcommands.

The goal of nq was to make sure only one instance of the update script
was running. The problem is that nq does not write the log output to
stdout, but rather to dedicated files. This makes it harder to see the
output with docker(-compose) logs.

Use `flock`, which is meant for these scenarios and provides the output
of the script to stdout.

This makes it possible to monitor that the secdb is still updated.

The licence is installed to `/var/www/html`. When html does not exist yet,
the file will actually end up as `html` in the `/var/www` directory, due
to the missing '/' at the end.

See merge request !5

we determined the secdb will be licensed under CC-BY-SA licensing
terms last week in #alpine-security IRC.

This implementation does not suffer from the issue that lua has, where it
cannot distinguish from an empty list and an empty array, without having to
resort to post processing to fix issues.

See merge request !4

Things like traefik, and the webnetwork are production settings. Put
those settings in a separate file that can be symlinked to
`docker-compose.override.yml` on the production host.

Build the go secdb application and adopt generate_secdb.sh to run it.

Lua has just a single structure, namely a table, which is used for both
lists and maps. This poses a problem when a list is empty, because it's
not able to distinguish between the 2, and will default to a map.

This implementation:

* Defines the exact structure
* Writes out json and yaml at the same time
* Fetches release, instead of statically defining it in-line

And because it's statically built, has no dependencies except musl.

See: #2

Add 3.13 support

See merge request !3