automated security warnings

[hohwille]

Already devonfw-ide does a great job to automated tool installations and meanwhile supports automatic updates to recent versions.
However, IT security gets more and more important. As recent vulnerabilities like CVE-2022-23521 and CVE-2022-41903 show, it would be great if devonfw-ide could automatically warn users if he using outdated and vulnerable software. In case of the specified CVEs it would be git that is about the only tool we do not install and manage. However, during setup we could check the version and raise a fat and red warning if the version is vulnerable. Also projects can and for stability also want to pin the versions of tools to get a reliable and reproduce environment for their team. So to spin this further, it would be great if in the context of #941 we could introduce some kind of configuration file that marks versions that are vulnerable. So we could add the tool and edition for git as git/git/security with something like:

>2.39.0

So when we setup a tool (or for git in case we setup the ide itself) we can check the installed version and test if that version is marked as vulnerable. In that case we would render a fat and red warning to the end-user notifying him to take action:

******** ATTENTION ********
You are using the tool git in version 2.38.0 that has vulnerabilities. Please update the tool to state safe and secure.
For further details and recent information have a look at the following webpage:
https://github.com/devonfw/ide/blob/master/documentation/vulnerabilities.asciidoc

Obviously we would also create this asciidoc documentation page and explain how to update git and how to update tools maintained by devonfw-ide and how to proceed depending on your team role (developer should inform ide admin or provide PR for settings while settings admin should directly push the change and inform the team to call devon ide update).

To explain an advanced use-case:
Maybe a tool maintains several major versions and vulnerabilities only apply to 1.x versions up to 1.11.0 and to 2.x versions up to 2.0.23 we can write this to the security file:

1.0>1.11.0
2.0>2.0.23

This would mean that the versions 1.0-1.11.0 and 2.0-2.0.23 are considered vulnerable.
If we instead write this:

>1.11.0
2.0>2.0.23

This would mean that the versions 0-1.11.0 and 2.0-2.0.23 are considered vulnerable - so also 0.x versions are included.

[hohwille]

Feature is properly implemented.
I reopen this issue as a reminder because when the new ide-urls repo is populated, I want to add the security config for git.

[hohwille]

I created issue #1106 for the remaining todos so we can close this issue now.