feat(scan): current and released package scan (#65)

* feat(scan): zarf and release scanning with grype

* added missing license

* added a comment

* drop -v for verbose output - it's already used for version

* add missing check for errors on mkdirtemp

* slog logging

* add some colors to logging

* dropped zarf package loader deps, switched to a supported yaml lib

* minor fixes

* drop unnecessary oci url building

* minor clean up

* added scan and compare

* added an option to override image name - if image name changed between the released and the current version

* generated some e2e tests

* sth working

* separate mock files

* e2e tests for scan commands

* lint fixes

* added missing license

* explicitly ignore fprintf error

* drop unnecessary todos

* minor fix

* fix comment

* switch scanning commands to structs

* switch scanning commands to structs

* reworks - batch 1

* simplified fetching sboms for flavors logic

* more rework

* try direct defer calls

* try to silence linter when swallowing irrelevant errors

* refactored commands - not working fetching

* superfluous logging

* fixed running

* switched to `flags` for flag parsing in grype mock

* a bit of rework + fixing lint errors

* rearranged the commands to be under `scan` parent command

* pulled out exec function to options

* drop overcomplicated Close() error swallowing

* drop more overcomplicated Close() error swallowing

Author: michalszynkiewicz

.gitignore

@@ -27,6 +27,9 @@ go.work.sum
 # vscode
 .vscode
 
+# idea
+.idea
+
 # build artifacts
 build/
 uds-pk

go.mod

@@ -8,11 +8,14 @@ require (
 	github.com/go-git/go-git/v5 v5.16.2
 	github.com/goccy/go-yaml v1.18.0
 	github.com/google/go-github/v69 v69.2.0
+	github.com/google/go-github/v73 v73.0.0
 	github.com/mikefarah/yq/v4 v4.47.2
 	github.com/olekukonko/tablewriter v1.0.9
 	github.com/spf13/cobra v1.10.1
 	github.com/stretchr/testify v1.11.1
 	github.com/zarf-dev/zarf v0.61.2
+	go.yaml.in/yaml/v4 v4.0.0-rc.2
+	golang.org/x/oauth2 v0.30.0
 	gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473
 )
 
@@ -83,7 +86,6 @@ require (
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
 	golang.org/x/crypto v0.41.0 // indirect
 	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sys v0.35.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 	golang.org/x/time v0.12.0 // indirect

go.sum

@@ -125,6 +125,8 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/go-github/v69 v69.2.0 h1:wR+Wi/fN2zdUx9YxSmYE0ktiX9IAR/BeePzeaUUbEHE=
 github.com/google/go-github/v69 v69.2.0/go.mod h1:xne4jymxLR6Uj9b7J7PyTpkMYstEMMwGZa0Aehh1azM=
+github.com/google/go-github/v73 v73.0.0 h1:aR+Utnh+Y4mMkS+2qLQwcQ/cF9mOTpdwnzlaw//rG24=
+github.com/google/go-github/v73 v73.0.0/go.mod h1:fa6w8+/V+edSU0muqdhCVY7Beh1M8F1IlQPZIANKIYw=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
@@ -275,6 +277,8 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+go.yaml.in/yaml/v4 v4.0.0-rc.2 h1:/FrI8D64VSr4HtGIlUtlFMGsm7H7pWTbj6vOLVZcA6s=
+go.yaml.in/yaml/v4 v4.0.0-rc.2/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
 go4.org v0.0.0-20230225012048-214862532bf5 h1:nifaUDeh+rPaBCMPMQHZmvJf+QdpLFnuQPwx+LxVmtc=
 go4.org v0.0.0-20230225012048-214862532bf5/go.mod h1:F57wTi5Lrj6WLyswp5EYV1ncrEbFGHD4hhz6S1ZYeaU=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=

src/cmd/root.go

@@ -4,9 +4,13 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
+	"log/slog"
 	"os"
 
+	"github.com/defenseunicorns/uds-pk/src/utils"
+
 	"github.com/spf13/cobra"
 )
 
@@ -15,8 +19,8 @@ var rootCmd = &cobra.Command{
 	Use:   "uds-pk",
 	Short: "UDS Package Kit is a tool for managing UDS packages",
 	Long: `UDS Package Kit is a tool that facilitates the development, maintenance and release
-	of UDS packages. It provides commands for automating releases verifying packages and
-	generating configuration.`,
+		of UDS packages. It provides commands for automating releases verifying packages and
+		generating configuration.`,
 }
 
 // deprecatedCheckCmd is the deprecated location for the check command
@@ -52,6 +56,48 @@ var deprecatedUpdateYamlCmd = &cobra.Command{
 	},
 }
 
+type contextKey string
+
+const loggerKey contextKey = "logger"
+const verboseKey contextKey = "verbose"
+
+func initLogger(cmd *cobra.Command, _ []string) {
+	verbose, err := cmd.Root().PersistentFlags().GetBool("verbose")
+	if err != nil {
+		verbose = false
+	}
+	ctx := InitLoggerContext(verbose, cmd.Context())
+	cmd.SetContext(ctx)
+}
+
+func InitLoggerContext(verbose bool, ctx context.Context) context.Context {
+	logger := CreateLogger(verbose)
+	ctx = context.WithValue(ctx, loggerKey, logger)
+	return context.WithValue(ctx, verboseKey, verbose)
+}
+
+func CreateLogger(verbose bool) *slog.Logger {
+	level := slog.LevelInfo
+	if verbose {
+		level = slog.LevelDebug
+	}
+	return slog.New(utils.PrettyLogHandler(os.Stderr, level))
+}
+
+func Logger(ctx *context.Context) *slog.Logger {
+	if ctx == nil {
+		return CreateLogger(false)
+	}
+	return (*ctx).Value(loggerKey).(*slog.Logger)
+}
+
+func Verbose(ctx *context.Context) bool {
+	if ctx == nil {
+		return false
+	}
+	return (*ctx).Value(verboseKey).(bool)
+}
+
 // Execute adds all child commands to the root command and sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
 func Execute() {
@@ -62,6 +108,8 @@ func Execute() {
 }
 
 func init() {
+	rootCmd.PersistentFlags().Bool("verbose", false, "Enable debug output")
+	rootCmd.PersistentPreRun = initLogger
 	rootCmd.AddCommand(deprecatedCheckCmd)
 	rootCmd.AddCommand(deprecatedShowCmd)
 	rootCmd.AddCommand(deprecatedUpdateYamlCmd)