feat: add modular scanners

[anubhav06]

Added support for modular scanners.

Closes #59

Overview

• Trivy remains the default scanner.
• If someone wants to use vulnerability data from other scanners, they can utilize plugins.
• Plugins can be written and used for using vulnerability data of other scanners. The plugin is an executable binary and must be available on the $PATH for copa to execute.
• The command which can be used to invoke a plugin is as follows:

copa patch --scanner copa-grype -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t nginx.1.21.6-patched

• I've written the Grype plugin, which can be used for patching grype produced results:
  copa-grype plugin: https://github.com/anubhav06/copa-grype

How does it Work?

• The plugin takes the image vuln report path as an argument.
• The plugin then parses the report and outputs in a format supported by copa (Update Manifest struct)
• Copa executes the plugin specified by the user, and captures the output of the plugin, thereby having access to the required updates. It then simply passes this info further to the copa patching process.

How to Test?

• Build the copa-grype plugin to produce a binary called copa-grype
• Then execute copa(this version of PR) with the following command:

copa patch --scanner /path/to/copa-grype -i <image> -r <grype-results>

After adding the copa-grype binary to PATH:

[codecov]

Codecov Report

Attention: 52 lines in your changes are missing coverage. Please review.

Comparison is base (d514256) 32.50% compared to head (bdcacab) 33.02%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #261      +/-   ##
==========================================
+ Coverage   32.50%   33.02%   +0.51%     
==========================================
  Files          17       17              
  Lines        1572     1626      +54     
==========================================
+ Hits          511      537      +26     
- Misses       1032     1060      +28     
  Partials       29       29              

Files	Coverage Δ
pkg/vex/openvex.go	88.88% <100.00%> (ø)
pkg/vex/vex.go	78.57% <100.00%> (ø)
pkg/patch/cmd.go	48.88% <50.00%> (+0.05%)	⬆️
pkg/buildkit/buildkit.go	0.00% <0.00%> (ø)
pkg/pkgmgr/apk.go	51.49% <33.33%> (ø)
pkg/report/trivy.go	78.43% <89.47%> (+2.11%)	⬆️
pkg/pkgmgr/dpkg.go	33.21% <70.00%> (ø)
pkg/pkgmgr/rpm.go	33.76% <57.14%> (ø)
pkg/pkgmgr/pkgmgr.go	12.98% <0.00%> (ø)
pkg/patch/patch.go	6.03% <0.00%> (-0.33%)	⬇️
... and 1 more

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[anubhav06]

The owner in https://github.com/anubhav06/copa-grype will need to be changed from anubhav06 to project-copacetic

[sozercan]

The owner in anubhav06/copa-grype will need to be changed from anubhav06 to project-copacetic

@anubhav06 This is the motivation of the modular scanners so we don't have to (unless we want to officially support an integration). However, we should add a doc to document existing integrations (example: https://open-policy-agent.github.io/gatekeeper/website/docs/externaldata#providers-maintained-by-the-community)

Looks like there are a few conflicts now, can you please resolve them?

[sozercan]

can you add a test provider (you can use/reference existing trivy code) and make sure to add e2e tests for testing this integration

[sozercan]

example concept: https://github.com/open-policy-agent/gatekeeper/tree/master/test/externaldata/dummy-provider

[anubhav06]

just to confirm, I should add a provider file similar to https://github.com/open-policy-agent/gatekeeper/blob/master/test/externaldata/dummy-provider/provider.go right? sorry if this is a silly question as I'm new to test providers

[sozercan]

no worries! we don't need the same or similar code (just the concept). if we can turn trivy into a test provider without duplicating code, i think that would be ideal so we can make sure to test the provider call flow.

[anubhav06]

can you please check my new commits regarding tests, is it what is expected?

[sozercan]

yes! this is great for now. we can do a follow up to integrate https://github.com/project-copacetic/scanner-parser-template/ to test success cases into e2e

as a follow up, we'll need:

• go install https://github.com/project-copacetic/scanner-parser-template in github actions e2e
• run with a fake report
• make sure copa can call and receive results from the plugin

[anubhav06]

@sozercan in order to go install, we will need a release of the scanner-plugin-template, right?
We can also install using something like:

curl -sfL https://github.com/project-copacetic/scanner-plugin-template/releases/download/v${SCANNER_PLUGIN_TEMPLATE_VERSION}/scanner-plugin-template_${SCANNER_PLUGIN_TEMPLATE_VERSION}_Linux-64bit.tar.gz -o scanner-plugin-template.tar.gz
sudo tar -zxvf scanner-plugin-template.tar.gz -C /usr/local/bin/
rm scanner-plugin-template.tar.gz

similar to how other tools are installed in the copa CI, however even that would require a release of the fake-plugin.

[sozercan]

@anubhav06 looks like this is not working for me

export IMAGE=docker.io/library/nginx:1.21.6
copa patch -i $IMAGE -r grype.json --scanner copa-grype
Error: error parsing scanner output: invalid character 'E' looking for beginning of value

I ran grype (v0.69.1) with

grype $IMAGE -o json --file grype.json

seems like descriptor.name is empty?

 "descriptor": {
  "name": "",

[anubhav06]

@anubhav06 This is the motivation of the modular scanners so we don't have to (unless we want to officially support an integration). However, we should add a doc to document existing integrations (example: https://open-policy-agent.github.io/gatekeeper/website/docs/externaldata#providers-maintained-by-the-community)

Oh ok understood. That's interesting. I'll add the docs as well, once this PR is complete and merged.

[anubhav06]

@anubhav06 looks like this is not working for me

This is because in the new version of grype (v0.69.1) which you are using, it seems they have removed "grype" from descriptor.name. I had tested this with v0.64.2, in that version descriptor.name used to have the value "grype".

It's strange as to why did they remove this in the new version, I'll look into this and will get back with a solution 👍

Update:
I checked with the team on slack and they say this isn't intentional. I've opened a bug report on grype for it anchore/grype#1538 and it should be fixed soon.

[anubhav06]

For testing:

1. Download the newer version of copa-grype: https://github.com/anubhav06/copa-grype
2. Add "grype" to descriptor.name field of your grype output. (until the grype bug is fixed)

Update: The grype bug is fixed and there should be a new release of grype soon

[sozercan]

see comment

[sozercan]

@anubhav06 sorry for delay, we had a few CI blockers! i pushed a minor update to your PR so we can get this merged asap, hope that's okay

[sozercan]

LGTM pending tests

[sozercan]

@anubhav06 merged, thank you!