Trivy vulnerability scanning

[hamistao]

This adds two jobs to our workflows. One uses Trivy to scan LXD's dependencies and the other scans the snap.

[hamistao]

This shows how the alerts are shown in the security page (those alerts shown are false positives and can be closed as such after this is merged).

@simondeziel @tomponline Notice how it is possible to filter the alerts by tool. Unfortunately, since GitHub does not support setting custom filters for alerts and we do not use tags nor branches to mark the versions used in each snap channel, we can't filter alerts from each snap channel scan easily.
An alternative would be to include snap scanning in lxd-pkg-snap, include each snap channel scan in its respective branch and filter by branch. I am open to suggestion on how to better handle this.

[tomponline]

An alternative would be to include snap scanning in lxd-pkg-snap, include each snap channel scan in its respective branch and filter by branch. I am open to suggestion on how to better handle this.

Lets check its actually working on the snap scan first, we need to confirm its actually recognising the deps inside the snap.

[hamistao]

Another image showing some alerts from the snap scanner (these alerts are fixed on latest channels)

[tomponline]

Another image showing some alerts from the snap scanner (these alerts are fixed on latest channels)

why dont we set it up in each one of our source branches on this repo, but targeting <series>/stable as its the stable snaps we are interested most in.

[hamistao]

why dont we set it up in each one of our source branches on this repo, but targeting /stable as its the stable snaps we are interested most in.

Works for me! Another option would also be appending the channel in the beginning of the alert name. For example: 5.0/stable - PyYAML: Incomplete fix for CVE-2020-1747. That said, searching for branch should be simpler so I would still prefer the option of using the branches.

[tomponline]

why dont we set it up in each one of our source branches on this repo, but targeting /stable as its the stable snaps we are interested most in.

Works for me! Another option would also be appending the channel in the beginning of the alert name. For example: 5.0/stable - PyYAML: Incomplete fix for CVE-2020-1747. That said, searching for branch should be simpler so I would still prefer the option of using the branches.

can you do that too so its clear its coming from a snap alert

[tomponline]

Ready for review?

[hamistao]

@tomponline Now it is!

Example of alerts for the snap scanner, the repo scanner alerts are the same.

[hamistao]

One more image to ilustrate one particular behavior, if more than one version has the same vulnerability, the most recent is shown in the alert title, I believe this is because the alert ID is the same so the title should stay constant across branches. They are still filtered by branch and have the indicator on the side so in my view this doesn't hurt the UX.

[tomponline]

Does the repo scan generate the vuln cache dir? If so can we get it to update the cache when it finishes and then have the snap task depend on it?

[hamistao]

Does the repo scan generate the vuln cache dir? If so can we get it to update the cache when it finishes and then have the snap task depend on it?

Yes, we can!

[hamistao]

@tomponline @simondeziel Requested changes made

Updated alerts above

[tomponline]

do we need to provide this line at all?

[hamistao]

I also find it confusing but I get an error if I don't provide both sha and ref. The error explicitly says both are needed here.

[tomponline]

can parse the version from the snap somehow, and use the ref of the associated tag perhaps?

[hamistao]

I will try and see if I can get something like this working

[hamistao]

The PRs for microcloud and microcluster will be ready soon.