ROX-28098: explicitly set advisory

[RTann]

Description

Central DB's image and CVE data models are going through a metamorphosis now, and this will help. The goal is to show CVEs along with their associated advisory, if applicable, which this PR enables.

Note: this currently only affects Red Hat vulnerability data, and not GHSAs, DSAs, ALAS, etc. The current goal is to just do this for Red Hat data, at this time.

User-facing documentation

• CHANGELOG update is not needed
• documentation PR is not needed

Testing and quality

• the change is production ready: the change is GA or otherwise the functionality is gated by a feature flag
• CI results are inspected

Automated testing

• added unit tests

How I validated my change

CI

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[rhacs-bot]

Images are ready for the commit at a08c71a.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.8.x-22-ga08c71ad43.

[RTann]

Postgres tests are failing because we are not writing the advisory to the table. Due to the data model changes, I don't know the best place to put this (CVE, ImageCVE, ImageCVEV2?)

Can someone from @stackrox/core-workflows let me know where to put it?

[RTann]

@crozzy can you confirm we can/should fetch the advisory from the links?

[crozzy]

There's no API guarantee for the format/contents of the links field, having said that:

• I don't think there is any other way to tie them together without pulling the VEX CVE file and looking it up yourself.
• There is no plans to change the format until the Matcher v2 schema changes are updated that should render hacks like this moot.

[RTann]

works for me. Seems like this is the best way to do this using Claircore's native data

[dashrews78]

Postgres tests are failing because we are not writing the advisory to the table. Due to the data model changes, I don't know the best place to put this (CVE, ImageCVE, ImageCVEV2?)

Can someone from @stackrox/core-workflows let me know where to put it?

IMO, go to the image store test and add something like what I did in #13682. You can even reference the same ticket if you want and I'll deal with it soon. Minimizes the interference of proto churn and keeps your PR focused.

	for _, comp := range image.GetScan().GetComponents() {
		for _, vuln := range comp.GetVulns() {
			vuln.NvdCvss = 0
			vuln.Epss = nil
		}
		// TODO(ROX-27402) remove this
		comp.Architecture = ""
	}

We are going to have to create a new version of that store and test anyway so there is no real point on spending much thought on it for the scanner side of the changes.

[openshift-ci]

@RTann: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ocp-4-17-scanner-v4-install-tests	a08c71a	link	false	/test ocp-4-17-scanner-v4-install-tests
ci/prow/ocp-4-12-scanner-v4-install-tests	a08c71a	link	false	/test ocp-4-12-scanner-v4-install-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.