This way new CVEs that are added will start off being listed, but not
with a link. When upstream (currently redhat) publishes the CVE, a
cronjob will pick this up and update it with a link.
Of course, we still only show CVEs that are listed as public, but this
should hopefully get rid of some of the questions of why we link to a
404.
This finally moves the patches into the db, which makes it a lot easier
to filter patches in the views.
It also adds the new way of categorising patches, which is assigning
them a CVSSv3 score.
For now, there are no public views to this, and the old static pages
remain. This is so we can backfill all existing security patches before
we make it public.
