[feature] Add VEX Hub support

[funnelfiasco]

Is your feature request related to a problem? Please describe.

This was mentioned by Lukas Hoehl in Slack. VEX statements aren't always easy to find. VEX Hub automatically collects VEX statements and makes them easily discoverable.

Describe the solution you'd like
A certifier that queries VEX Hub for VEX statements affecting pURLs found in GUAC data.

Describe alternatives you've considered
Directly incorporating vexhub-crawler or similar into GUAC to fetch the VEX statements directly.

Additional context
This was the subject of a conversation at KubeCon today. It should be relatively simple to create a certifier for this, it "just" needs someone with the time to write the code.

[hown3d]

Thanks for opening an issue on this topic!

From my undestandment there is not THE VEX hub. I've seen VEX hub from aqua and VEX hub from rancher.
I think the certifier should conform to the VEX Repo Spec.

Another question in place is how the certifier would discover those repositories. I guess a configuration option?

[lumjjb]

We're interested in this definitely! @knqyf263 would you be able to give us an overview and maybe have a discussion of integrations on one of our GUAC maintainer calls?

CC: @itaysk

[knqyf263]

@lumjjb Sure. This is a blog from @itaysk. Also, my presentation.

As @hown3d pointed out, any VEX repositories that conform to the spec should be worked with GUAC. For example, both Aqua VEX Hub and Rancher VEX Hub work with Trivy, which implements the spec. We'll give you an overview in a call.