Given a repository name and a vulnerability (CVE-ID) return the first (in chronological order) tag or digest which fixed that vulnerability or none is not fixed. If the CVE never existed in the repository also return none, but also some indicator (such as a error message) that it never existed.

This would allow Security Scanners to tell which tag or digest they need to upgrade to in order to fix a vulnerability, reducing the risk of a breaking change, or also providing protection from the given vulnerability.