Feat: Support Trivy status filtering

[inFocus7]

What this PR does / why we need it:
Adds ability to filter by image vulnerability status through a new field ignoredStatuses in components.scanner.config.
https://aquasecurity.github.io/trivy/v0.44/docs/configuration/filtering/#by-status

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #821

Special notes for your reviewer:
Still needs to be (manually) end-to-end tested. Have only "verified" it works based on logic and the small test for the config, but have not done any manual verification.

Manual Verification Steps

Install Eraser with updated scanner

1. kind create cluster
2. make docker-build-trivy-scanner TRIVY_SCANNER_IMG=eraser-trivy-scanner:dev
3. kind load docker-image eraser-trivy-scanner:dev
4. helm upgrade --install eraser charts/eraser --values override.yaml (seen below)

Test Eraser with vulnerable image

1. docker pull docker.io/library/alpine:3.7.3 (pulling vulnerable image)
2. docker exec -ti kind-control-plane bash
3. crictl images (in the bash)
4. kind load docker-image alpine:3.7.3
   • Repeat this while updating the override.yaml and doing helm upgrade --install eraser charts/eraser --values override.yaml to see it taking effect.
   • When fixed is an ignored status, the image does not get deleted. When we don't ignore it, it gets deleted (as expected). That alpine image only has a single CRITICAL - fixed vuln.

override.yaml

runtimeConfig:
  manager:
    scheduling:
      repeatInterval: "1s"
  components:
    collector:
      enabled: true
      image:
        tag: "v1.2.1"
    scanner:
      enabled: true
      image:
        repo: "docker.io/library/eraser-trivy-scanner"
        tag: "dev"
      config: |
         cacheDir: /var/lib/trivy
         dbRepo: ghcr.io/aquasecurity/trivy-db
         deleteFailedImages: false
         deleteEOLImages: false
         vulnerabilities:
           ignoreUnfixed: false
           types:
             - os
             - library
           securityChecks:
             - vuln
           severities:
             - CRITICAL
           ignoredStatuses:
             - fixed
    remover:
      image:
        tag: "v1.2.1"

deploy:
  image:
    repo: ghcr.io/eraser-dev/eraser-manager
    pullPolicy: IfNotPresent
    tag: "v1.2.1"

[salaxander]

@inFocus7 Thank you for the contribution! :)

[ashnamehrotra]

Looks like helm pull secret test was failing due to PodTemplate not found error which we fixed recently. Tests pass after rebase.

[ashnamehrotra]

LGTM after rebase

[inFocus7]

@ashnamehrotra Thanks! It looks like some checks failed, not sure if they were flakes though

[ashnamehrotra]

@inFocus7 I think they may be flakes. I cannot re-run the failed tests, would you be able to do that again so we can check?

[sozercan]

@inFocus7 I can't seem to re-run tests either, checking if closing and re-opening resolves this

[inFocus7]

@sozercan @ashnamehrotra Thanks all!

So looks like they were flakes, theres just two failing checks now.

1. Trivy fails due to CVE in kubernetes, requiring an upgrade.
   • This should be resolved once chore: update k8s to v1.26.11 #917 merges.
2. Linting fails due to dot imports in controller/suite_test.go.
   • Unsure if this is a new check failure, although the dot imports have existed for months/years.
   • Should I update the test to use the named imports (gomega.<...>, ginkgo.<...>?

[ashnamehrotra]

@inFocus7 made those changes in #917! Once that is merged we should be good to rebase. There are still vulns in the trivy binary which we can ignore for now since we cannot fix those.

[inFocus7]

🥳