feat: Analyzer for user defined packages.

[Johannestegner]

Hi there!
When building docker images, I often build most of the software from source instead of downloading them from a package registry.
Looking at issues like aquasecurity/trivy#481 in the Trivy repository, make me think that I'm not alone.

This pull request contains a simple analyzer which adds packages to scan from a json file (currently named /etc/manifest.trivy open for better naming!). The json file uses the types.Package in types/image.go as resource in the decoder, although it only requires the name and version to work.

I added a test for it in the analyzer_test.go file, and could not find more tests which tests the analyzers, please let me know (if the PR is wanted) if I missed anything when it comes to the tests!

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[mrueg]

I would suggest to make this file csv or yaml format, so you can append more easily than with json, wdyt?

[Johannestegner]

Aye, that is a sane thought, not sure why I went with JSON to be honest, hehe.
Will update that in a bit (after kids are in bed ;) )

[Johannestegner]

Will have to look a bit deeper into this, it seems like there is no native yaml support, and doesn't feel right to add a new dependency for this tiny feature... I'll figure something out, and I still agree with you that JSON is not the perfect format :)

[masahiro331]

I think it's a great idea!
Trivy needs to determine which OS package or which application.
And Trivy needs to select a Driver during vulnerability detection.

e.g.
https://github.com/aquasecurity/trivy/blob/master/pkg/detector/library/driver.go#L29-L47
https://github.com/aquasecurity/trivy/blob/master/pkg/detector/ospkg/detect.go#L59-L86

In the case of static filenames, it is difficult to sort out the driver.
I find it difficult to sort out the drivers if the file names are common.

So, I think need to give the unique name charp.trivy for C#, java.trivy for java, and so on.

[Johannestegner]

I think that the most useful thing for it is to look for vulnerabilities in built applications (it will of course require the user to specify the packages with the correct name for the OS distribution, eg: php8 - 8.0.0_rc2-r0, but imho, that is quite alright), but making it possible to use the package drivers as well is not a bad idea at all, and I'll look at getting that in too :)

[netrounds-fredrik]

This is related to the feature request aquasecurity/trivy#293.

Trivy needs to determine which OS package or which application.
And Trivy needs to select a Driver during vulnerability detection.

Regarding what information that the manifest files need to contain, shouldn't it be the same information as passed to the trivy server API (https://github.com/aquasecurity/trivy/blob/master/rpc/detector/service.proto)?