Add logging for packages and vulnerabilities

[TG1999]

• Any change done on any package or vulnerability should be logged and should be shown on the UI as an activity on that entity.
• Add a log for each vulnerability with the data and advisory it has been formed, see also: Ingest npm data through github api #1025 #1027 (comment).

A log should have:

• action date
• actor (importer/ improver)
• object (package/vulnerability)
• supporting data (how object and actor are associated, source of the log for example: URL of the advisory)
• vulnerablecode version ( version of vulnerablecode that was used at that time )

In VCIO we have these kind of situations as of now that we want to log:

• Importing an Advisory into VCIO - We need to log when the advisory was actually published upstream for every vulnerability and by which data source we have imported that advisory into VCIO with the source URL.
• Package-Vulnerability relationship logs - If a package is affected by/fixing a vulnerability, we should log it on the package and vulnerability side with the date when this inference was drawn.

See related issues:

• Implement structured logging #590
• Enhancement: Make dates more visible and usable in VCIO #924
• Report newly added CVEs/vulnerabilities #536

Reported by @pombredanne

[DennisClark]

refer to "activitypub" and "activitystream" for logging models

[DennisClark]

note: trying to make this consistent with all the aboutcode projects.

[TG1999]

Ater all discussion PR #1310 is ready for review now

[TG1999]

Making a follow-up issue for adding improver for the packages and vulnerabilities that were imported prior introducing changelog and closing this for now. #1388