Migrate to V3 advisory format

[tarcieri]

The V3 advisory format uses Markdown with TOML frontmatter. It was originally proposed in #240 and implemented (with some changes from the original proposal) in RustSec/rustsec-crate#167.

The new format allows us to see renderings of Markdown-formatted descriptions in PRs and when viewing advisories on GitHub. Barring any unforeseen circumstances, this will be the final stable advisory format, and will unlock releasing 1.0 versions of the various RustSec crates.

In #240, we suggested attempting a migration today, October 1st, 2020 (i.e beginning of Q3), which this issue is for tracking.

Example advisory:

https://raw.githubusercontent.com/RustSec/rustsec-crate/master/tests/support/example_advisory_v3.md

Rendered:

[advisory]
id = "RUSTSEC-2001-2101"
package = "base"
date = "2001-02-03"
url = "https://www.youtube.com/watch?v=jQE66WA2s-A"
categories = ["code-execution", "privilege-escalation"]
keywords = ["how", "are", "you", "gentlemen"]
aliases = ["CVE-2001-2101"]
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"

[versions]
patched = [">= 1.2.3"]
unaffected = ["0.1.2"]

[affected]
arch = ["x86"]
os = ["windows"]
functions = { "base::belongs::All" = ["< 1.2.3"] }

All your base are belong to us

You have no chance to survive. Make your time.

[Shnatsel]

Do we have a format specification listing all the fields (like a schema) and specifying how to parse this format? For example, the handling of "```" occurring in the TOML body or in the description can be ambiguous.

I feel that ease of parsing is a necessary constraint for the format, and I'm not comfortable stabilizing it until the proper way to parse it is specified and is found feasible to implement in third-party tooling.

[tarcieri]

There are two ways to parse it:

• Parse the whole file as Markdown and extract the contents of the first code block, which the document MUST begin with and MUST be TOML
• Ensure the file begins with ```toml, split its contents at the next encountered ``` delimiter, treat the beginning as TOML and the end as Markdown. This fairly simple and closer to the method the RustSec parser uses (although it would be interesting to eventually transition to something closer to above).

Also per #240 I feel it's a little late to be voicing concerns here. If there's a serious issue we can revert.

[tarcieri]

One snag: the linter needs to be updated, since it parses the raw TOML as a toml::Value

[Shnatsel]

Yeah, I'm always late with these to the point of being unhelpful 😞

[tarcieri]

WIP PR to translate the database here: #420

[tarcieri]

All advisories have been translated into the new format in #420.

We still have the option of rolling back if there are any showstoppers, but so far everything seems to be working normally on versions of cargo-audit which support the new format (v0.12.0+)

[tarcieri]

The only lingering issue right now, I think is this may have broken assign-ids. I'm trying to fix part of it here:

#421