Implement script to identify <no-dsa> CVEs that should be fixed

The criteria for marking CVEs with <no-dsa> is slightly different for the Security team compared with the LTS team. For instance, stable and oldstable (when it is still the responsibility of the security team) have regular point releases. Thus, the security team can mark a CVE as <no-dsa> and defer the fix to a point release update. LTS has no point releases, so there are circumstances where that same CVE would be evaluated by the LTS team as needing a fix.

The differences in criteria and evolution of the releases over the lifecycle occasionally creates a situation where a particular CVE is fixed in LTS-1 (i.e., the previous LTS release) and in LTS+1 (i.e., oldstable as maintained by the Security Team) but that same CVE may be marked <no-dsa> in LTS.

The task, then, is to implement a script that identifies packages in the situation described above.

Note that this task relates to #5 (closed) and so any script or automation that is implemented should be consistent with the associated process documentation.