Spike into current GitHub Security Alerts

[cmaeng]

Description

A list of known security advisories and dependency alerts can be found in GitHub here: https://github.com/department-of-veterans-affairs/va.gov-cms/network/alerts

This is part of a larger plan to allow space in each sprint to review and resolve security issues. Epic https://github.com/department-of-veterans-affairs/va.gov-cms/issues/1750 will capture a checklist of things we'll want to review and at least one story will be added to each sprint to address.

We want to go through the existing list of security alerts and understand each one in regards to the following criteria:

Acceptance Criteria

• [ ] Evaluate each of the 11 alerts here https://github.com/department-of-veterans-affairs/va.gov-cms/network/alerts
• [ ] For each alert: Create PR, link to this issue OR "dismiss" with valid reason of
  • A fix has already been started
  • No bandwidth to fix this
  • Risk is tolerable to this project
  • Vulnerable code is not actually used
• [ ] We have communicated that the issues have been addressed to the team and DEPO

[ElijahLynn]

Marked Simplesaml PHP alert as "risk is tolerable to this project" because it only applies to case-insensitive filesystems such as Windows Servers NTFS, which we are not using because we use EXT4 in case-sensitive mode (default) on Linux. https://github.com/department-of-veterans-affairs/va.gov-cms/network/alert/composer.lock/simplesamlphp%2Fsimplesamlphp/closed

1 down, 10 to go.

[TheBoatyMcBoatFace]

Refinement discussion:

• Look into RSS Feed/Webhooks to send new Dependabot alerts into Slack Channel
• Streamline automated alerts

[EWashb]

This was completed in #13498