Goal: Allow organization and repository owners in Quay to suppress specific CVEs so that disputed or irrelevant CVEs do not influence the image rating/scan results anymore.

Example: This vulnerability has been disputed and appears to be an application error rather than a glibc error per https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8804

Acceptance criteria:

• CVE suppression occurs entirely in Quay
• an organization admin can define a list of CVE identifiers, which are then suppressed in any CVE report of any manifest in any repository in that organization
• a repository admin can define a list of CVE identifiers at the repository level, which are then suppressed in any CVE report of any manifest in that repository
• a repository admin can define a list of CVE identifiers in the context of a manifest, which are then suppressed  in the CVE report of the manifest
• the manifest security API endpoint in Quay will by default omit suppressed CVEs but can be called in a way where suppressed CVEs are part of the report
• CVE reports can optionally show suppressed CVEs in the UI but don't do that by default (needs to be possible in API and UI)
• CVE reports in the UI by default show the number of suppressed CVEs in summary sections
• if different CVE identifiers are configured to be suppressed at the organization and/or repository and/or manifest level, they will combined into a larger set that will be used to filter the vulnerability report of a manifest
• suppressed CVEs never cause or are included in Repository notifications
• modifications of CVE suppression settings are logged in the action logs
• CVE identifiers are entered as alphanumeric strings without spaces
• when retrieving a vulnerability report, filtering for suppressed CVEs is done by matching the configured CVE identifiers as substrings against the CVE identifiers in the original report from Clair
• CVE suppression is only implemented in the new UI, the old UI will only show reported filtered for configured CVE suppressions