Show warning when using PIP_EXTRA_INDEX_URL

What does this MR do?

This MR adds the following warning message if a user configures the PIP_EXTRA_INDEX_URL environment variable:

[WARN] [gemnasium-python] [2021-06-16T08:29:18Z] ▶ Detected PIP_EXTRA_INDEX_URL environment variable configured to
'http://test.com'. An issue exists in all versions of pip when configuring the PIP_EXTRA_INDEX_URL variable because
it installs the version with the highest version number, even if the user had intended to obtain a private package
from a private index. Exploitation requires that the package does not already exist in the public index (and thus
the attacker can put the package there with an arbitrary version number). Please see
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20225 for more details. 

Follow-up: create an MR in gemnasium-python that updates the gemnasium git submodule and adds a changelog entry

• gemnasium-python!105 (merged)

What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab/-/issues/258604

Testing

• Pipeline without any additional variables:

  Successfully downloaded beautifulsoup4 Django django-contrib-comments
  django-js-asset django-mptt django-tagging django-xmlrpc mots-vides Pillow
  pyparsing pytz regex
  
  [DEBU] [gemnasium-python] [2021-06-16T08:48:34Z] ▶
    /usr/local/bin/pip install --disable-pip-version-check --find-links ./dist --requirement requirements.txt

• Pipeline with PIP_EXTRA_INDEX_URL configured:

  Successfully downloaded beautifulsoup4 Django django-contrib-comments
  django-js-asset django-mptt django-tagging django-xmlrpc mots-vides Pillow
  pyparsing pytz regex
  
  [WARN] [gemnasium-python] [2021-06-16T08:29:18Z] ▶
  Detected PIP_EXTRA_INDEX_URL environment variable configured to
  'http://test.com'. An issue exists in all versions of pip when configuring
  the PIP_EXTRA_INDEX_URL variable because it installs the version with the
  highest version number, even if the user had intended to obtain a private
  package from a private index. Exploitation requires that the package does not
  already exist in the public index (and thus the attacker can put the package
  there with an arbitrary version number). Please see
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20225 for more
  details.
  
  [DEBU] [gemnasium-python] [2021-06-16T08:29:26Z] ▶
    /usr/local/bin/pip install --disable-pip-version-check --find-links ./dist --requirement requirements.txt

Does this MR meet the acceptance criteria?

• Changelog entry added Changelog entry will be updated to gemnasium-python
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer