feat: hide unimportant vulns by default

[hogo6002]

Resolves #1968

Hides unimportant/uncalled vulns by default, and adds a --all-vulns flag to show all.
Returns 0 if only unimportant vulns.
Add an ignorePacakge filter to DoContainerScan()

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 81.81818% with 12 lines in your changes missing coverage. Please review.

Project coverage is 65.41%. Comparing base (8355068) to head (1989126).
Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/osv-reporter/main.go	0.00%	9 Missing ⚠️
cmd/osv-scanner/scan/image/command.go	0.00%	0 Missing and 1 partial ⚠️
cmd/osv-scanner/scan/source/command.go	0.00%	0 Missing and 1 partial ⚠️
internal/reporter/vertical_reporter.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1970      +/-   ##
==========================================
+ Coverage   65.37%   65.41%   +0.04%     
==========================================
  Files         176      176              
  Lines       17180    17206      +26     
==========================================
+ Hits        11231    11256      +25     
- Misses       5187     5189       +2     
+ Partials      762      761       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[G-Rath]

Is there a reason why you've gone with a flag vs adding support for this as a config option? as the latter sounds like it would address the reason behind #1968. Not saying it's wrong, just keen to hear a bit more about the offline discussions that have happened on this before I review.

fwiw I'm also a little hesitant on having this be the default, but that might just be because I work in languages that don't have call analysis and the idea is it'll be far more mainstream in future? (I'm use to dealing with security frameworks that say "all vulns must be patched" which without CA means truly patching anything that gets called a vuln by an advisory...)

[hogo6002]

Is there a reason why you've gone with a flag vs adding support for this as a config option?

I think we should add both.
The idea here is to first add a flag to provide a quick solution to this issue, which allows users to enable or disable all unimportant/uncalled vulnerabilities. Then, for each specific ecosystem or package, we can support a config option that allows users to override.
I will make a second PR to adjust the exit code. The exit code should match the final output. If no vulnerabilities are printed, we should exit with zero.

[another-rex]

@G-Rath Just want to understand what you meant by:

fwiw I'm also a little hesitant on having this be the default, but that might just be because I work in languages that don't have call analysis and the idea is it'll be far more mainstream in future?

I think this PR will have no effect on those languages right? As there won't be CA to mark vulns as unimportant, so there won't be any change.

[G-Rath]

Right now there isn't CA but the goal is to have that for as many languages as possible ay? it might be (a lot) harder for some languages than others to the point that it could take decades but the goal is still to have it is my understanding.

I think my feelings on this are due to uncertainty in the confidence of the CA - similar to how there are tools for detecting "secrets" in code that are literally just searching for the word "secret" in variable names; what if someone starts shipping a CA for a new language that is similar but maybe a bit smarter than that? with this being the default that means suddenly a bunch of vulns are no longer being signaled to me because some persons grep doesn't find any references to the function name?

But I think that's actually already accounted for by us humans doing the building - yes what I've said is technically possible, but in practice we'd decide that that CA isn't reliable enough yet to "trust" with being used in this context as a default and so wouldn't adopt it; and likewise I expect as we got closer to having CA in a new language we'd consider how it gets rolled out including "whats the confidence" and probably use an experimental flag for a bit, and so on.

so tl;dr happy to discuss my feelings more but I don't think it needs to be a blocker to making this a default 🙂

[another-rex]

I think we should at least print a line "Hiding X number of vulnerabilities deemed unimportant, use --all-vulnsto show them." if there are unimportant vulns so at least they are not silently dropped. Other wise LGTM

[hogo6002]

I think we should at least print a line "Hiding X number of vulnerabilities deemed unimportant, use --all-vulnsto show them." if there are unimportant vulns so at least they are not silently dropped. Other wise LGTM

Added this message into table container view and vertical output. I will add it to the regular table output after we replace it with internal structure (#1609).