feat: allow controlling which extractors are enabled

[G-Rath]

This allows more flexibility by enabling users to control which extractors are enabled (or disabled), similar to call scan analysis.

Resolves #1768

[G-Rath]

todos:

• add documentation
• rename cli flags (it should be something like --disable-extractors, or maybe even "extractor" since you pass them in one at a time?)
• switch to passing the extractors themselves in osvscanner.ScannerActions rather than just their names
  • while the issue originally called for the names as strings, the end goal is to be able to pass in custom extractors/plugins, and so I'm pretty sure it costs us very little to start doing that now which might save us some deprecation work
• sort out what to do with sboms, as we currently have a unique flag for them which in the long-run we probably ideally want to get merged into -L and co

[another-rex]

rename cli flags (it should be something like --disable-extractors, or maybe even "extractor" since you pass them in one at a time?)

I'm pretty sure cli allows you to pass it in comma separated?

[G-Rath]

Yeah I'm going to refresh my memory on that, because I'm pretty sure you're right but then we were doing custom splitting for our generic license flag and so maybe we actually have a bug with that flag? so I'm going to double check what we're actually doing for all our list flags to make sure its consistent 😅

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 91.37931% with 20 lines in your changes missing coverage. Please review.

Project coverage is 65.68%. Comparing base (1066081) to head (8edae54).
Report is 89 commits behind head on main.

Files with missing lines	Patch %	Lines
...nal/scalibrextract/filesystem/vendored/vendored.go	72.00%	6 Missing and 1 partial ⚠️
internal/scalibrextract/vcs/gitrepo/extractor.go	69.56%	6 Missing and 1 partial ⚠️
...nguage/java/pomxmlenhanceable/pomxmlenhanceable.go	85.71%	3 Missing ⚠️
pkg/osvscanner/scan.go	92.30%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1846      +/-   ##
==========================================
+ Coverage   65.39%   65.68%   +0.28%     
==========================================
  Files         164      166       +2     
  Lines       15926    16063     +137     
==========================================
+ Hits        10415    10551     +136     
  Misses       4847     4847              
- Partials      664      665       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[another-rex]

This approach LGTM!

I do quite like the configure idea, I'll have a look and see if this will work for configuring plugins in scalibr as well.

As for passing extractors as types directly into the DoScan function, this does mean we'll have to make all the extractors public right? I'm not sure we want to do that in this repo, and probably will have to migrate it into OSV-Scalibr.

[another-rex]

We can get rid of the if check, if preset doesn't exist, then the for loop wouldn't run.

[another-rex]

same below

[G-Rath]

you're right that we don't need the condition for the disabled section, but we do need it for the enabled section otherwise the preset name itself will end up being added as an extractor

[another-rex]

Ah makes sense.

[another-rex]

nit: Personally think it's clearer to add all the enabledExtractors in a set, then loop through all the disabled extractors to disable them, then convert to slice.

[another-rex]

nit: slices.Concat can be used here. I think that means we can get rid of the [][]string and just have a single [] and have the caller call slices.Concat themselves.

[another-rex]

This makes me realize that this might just be a bug at the moment, I don't think I intended skip root git to also skip subdirectories as well, but at the same time I guess we currently have no flags to disable skipping submodule scanning before this PR is landed.

Now that we do have a way to disable it, can you change this to also scan submodules? (We definitely should mention this behavior change in our changelog.

[G-Rath]

Yeah I was going to talk to you about that + the wider "we should probably make our extractors public in some way"

if it's ok with you, I'd like to leave our extractors alone in this PR and change them as a follow-up so that they've got their own changelog entries

[another-rex]

yep that sounds good

[G-Rath]

As for passing extractors as types directly into the DoScan function, this does mean we'll have to make all the extractors public right? I'm not sure we want to do that in this repo, and probably will have to migrate it into OSV-Scalibr.

Yes, but that shouldn't need to happen right away because you can archive the existing functionality by just not passing in any extractors - so anyone wanting to use just those extractors specifically would already need to make a feature request to have them extracted out; in the meantime, people wanting to use our extractors and their own extractors should be able to double-call the library

(remember too this is all currently experimental, so that fits nicely I think)

[G-Rath]

this is a very initial start of a doc, which has ended up being mainly just a capturing of what I think are key things for us to dive into as I realized while this PR does do what we want, there's at least a couple of key changes we should make around it like cleaning up our private extractors and having all extractors run (aka merge the lockfiles, directories, and sboms presets) which would make this documentation much simpler.

on an aside, I've added this in a manner that leverages Jekyell more (notably using subdirectories to imply the subpath) which we might like to actually do - if so I can do a restructure PR but want to check we actually like moving away from a flat structure

[another-rex]

Let's mark this page as hidden for now to get the logic merged in (I think function wise it's still mostly the same right? (if they just don't enable/disable extractors), and once we clean up how our different flags work we can re-enable it.

[G-Rath]

I wrote this as part of working on the docs as I realized our current way of doing presets.go is very opaque, so I think it might be better if we generate them as strings so that tools and humans can look at the file statically to figure out the actual names of extractors.

I have run it locally to confirm it works, but have not committed the result since we need to talk about the broader picture first

[another-rex]

LGTM, let's get this merged in as it is, and we can work on a few of the followup things:

• go generate for generating a list of available plugins
• Cleanup SBOM flags
• Add docs
• skip git behavior

[another-rex]

Let's mark this page as hidden for now to get the logic merged in (I think function wise it's still mostly the same right? (if they just don't enable/disable extractors), and once we clean up how our different flags work we can re-enable it.

[another-rex]

Ah makes sense.

[G-Rath]

@another-rex I've removed both the doc and generator files for now - they're captured by GitHub in this PRs history so they'll be easy to bring back