updated anchore engine parser for upto date output format

[pUrGe12]

Description

According to the discussion at #11552 I have updated the anchore engine parser for the relevant output format.

Test results

Have tested it locally using the provided file in #11552. I didn't have more files so haven't tried others.

Documentation

Have updated the docs to include the relevant information

Checklist

This checklist is for your information.

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• Bugfixes should be submitted against the bugfix branch.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• Your code is flake8 compliant.
• Your code is python 3.11 compliant.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• Model changes must include the necessary migrations in the dojo/db_migrations folder.
• Add applicable tests to the unit tests.
• Add the proper label to categorize your PR.

[dryrunsecurity]

DryRun Security Summary

The pull request modifies the Anchore Engine parser and documentation while introducing various security concerns including information exposure risks, input validation weaknesses, file handling vulnerabilities, severity mapping issues, and critical vulnerabilities in test data.

Expand for full summary

The pull request updates the Anchore Engine parser and related documentation, modifying JSON structure, vulnerability parsing, and test cases across multiple files. Security findings include:

1. Potential Information Exposure:

• Hardcoded file paths with potential timestamps in parser code
• Full image digest and internal path details in documentation example
• Prints full image hash in vulnerability description

2. Input Validation Concerns:

• Limited JSON input validation
• Relies on .get() method with default values
• Potential for silent failures with malformed input
• No explicit schema validation
• Accepts "Unknown" as a valid vulnerability ID

3. File Handling Risks:

• No explicit file size or type validation
• Potential resource exhaustion with large files
• User-provided file path without sanitization

4. Severity Mapping Issues:

• Converts "negligible" and "unknown" severities to "Info"
• May mask potential security risks

5. Critical Vulnerabilities in Test Data:

• Multiple critical CVEs detected (e.g., CVE-2024-50379 with CVSS 9.8)
• Extensive list of vulnerabilities across different severity levels

Code Analysis

We ran 9 analyzers against 6 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[pUrGe12]

I think I am going astray. Does changing the parser and data input require some database config changes as well?

[mtesauro]

@pUrGe12 There was an fix added to 2.43.2 that was released yesterday that should fix the tests that are failing for you.
Can you rebase this PR?

[pUrGe12]

That didn't work. Should I rebase onto master, cause now I did onto bugfix? Also, is there a way to run the docker tests locally?

[Maffooch]

@pUrGe12 it looks like the failing tests are related to the anchore changes made in this PR

[pUrGe12]

Can you let me know why that's happening?