feat(report): output plugin

[knqyf263]

Description

This PR adds support for output plugins.

$ trivy plugin install <plugin_url>
$ trivy <target> [--format <format>] --output plugin=<plugin_name> [--output-plugin-arg <plugin_args>] <target_name>

Examples

$ trivy plugin install github.com/aquasecurity/trivy-output-plugin-count
$ trivy image -f json -o plugin=count --output-plugin-arg "--publish-after 2023-10-01" debian:12

trivy image -f json -o plugin=webhook --output-plugin-arg "--url=http://localhost:8080" debian:12

trivy image -f cyclonedx -o plugin=referrer --output-plugin-arg "put --insecure" debian:12

Related issues

• Close plugin as output option #4860

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

@itaysk After all, I added another flag to take the plugin arguments as is, like --output-plugin-arg "put --insecure" (see the examples above). Please let me know if you have any feedback.

[DmitriyLewen]

I left few small comments.

Also i found 1 case:
We don't stop Trivy, if plugin argument is invalid:

➜  trivy git:(output_plugin) ✗ ./trivy image --format json --output plugin=count --output-plugin-arg "--published-afterrrrr 2022-10-01" debian:12
...
flag provided but not defined: -published-afterrrrr
Usage of /Users/work/.trivy/plugins/count/count:
  -published-after string
        take vulnerabilities published after the specified timestamp (ex. 2019-11-04)
  -published-before string
        take vulnerabilities published before the specified timestamp (ex. 2019-11-04)

[itaysk]

IMO it's worth adding at least the kind: output field to the plugin yaml, to differentiate output plugins from other plugins. we don't need to implement anything with it, but it can serve us in the future for things like discovery (find me an output plugin for html), error handling (user tried to use an output plugin as an execution plugin), improve ux and more.

[knqyf263]

We don't stop Trivy, if plugin argument is invalid:

Do you mean we should exit early? Any ideas on implementation?

[knqyf263]

IMO it's worth adding at least the kind: output field to the plugin yaml, to differentiate output plugins from other plugins. we don't need to implement anything with it, but it can serve us in the future for things like discovery (find me an output plugin for html), error handling (user tried to use an output plugin as an execution plugin), improve ux and more.

I'm supposed to do that in another PR.

[DmitriyLewen]

Do you mean we should exit early? Any ideas on implementation?

No. Trivy simply freezes when plugin returns error (e.g. wrong flag or incorrect data format).

I checked this case and found a pattern:
cmd waits when we read os.stdin (if i understand correctly Pipe reader blocks channel and cmd can't finish work without closing this channel.)

e.g. i moved json decoding for trivy-output-plugin-count to the beginning of the run function:

	var report types.Report
	if err := json.NewDecoder(os.Stdin).Decode(&report); err != nil {
		return err
	}

	publishedBefore := flag.String("published-before", "", "take vulnerabilities published before the specified timestamp (ex. 2019-11-04)")
	publishedAfter := flag.String("published-after", "", "take vulnerabilities published after the specified timestamp (ex. 2019-11-04)")
	flag.Parse()
...

In this case Trivy works correctly:

➜  trivy git:(output_plugin) ✗ ./trivy image --format json --output plugin=count --output-plugin-arg "--published-after 20222-10-01" debian:12
2023-11-30T12:00:14.895+0600    INFO    Vulnerability scanning is enabled
2023-11-30T12:00:14.895+0600    INFO    Secret scanning is enabled
2023-11-30T12:00:14.895+0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-30T12:00:14.895+0600    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-11-30T12:00:22.221+0600    INFO    Detected OS: debian
2023-11-30T12:00:22.221+0600    INFO    Detecting Debian vulnerabilities...
2023-11-30T12:00:22.232+0600    INFO    Number of language-specific files: 0
2023/11/30 12:00:22 parsing time "20222-10-01" as "2006-01-02": cannot parse "2-10-01" as "-"
2023-11-30T12:00:22.252+0600    FATAL   report error: unable to write results: plugin error: exit status 1

It looks like we can add a timeout (I think we need to add a timeout for the plugin as output anyway) or add information to docs that Stdin should be read anyway.