feat(flag): early fail when the format is invalid

[blueskyson]

Description

This PR will make trivy fail earlier when the format is wrong.

Related issues

• Close Validate output format types earlier (fail fast when invalid format supplied) #3244

Before:

$ ./trivy image alpine:latest --format foo
2023-01-02T19:00:26.902+0800    INFO    Vulnerability scanning is enabled
2023-01-02T19:00:26.902+0800    INFO    Secret scanning is enabled
2023-01-02T19:00:26.902+0800    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-02T19:00:26.902+0800    INFO    Please see also https://aquasecurity.github.io/trivy/v0.35/docs/secret/scanning/#recommendation for faster secret detection
2023-01-02T19:00:29.062+0800    INFO    Detected OS: alpine
2023-01-02T19:00:29.062+0800    INFO    This OS version is not on the EOL list: alpine 3.17
2023-01-02T19:00:29.062+0800    INFO    Detecting Alpine vulnerabilities...
2023-01-02T19:00:29.065+0800    INFO    Number of language-specific files: 0
2023-01-02T19:00:29.065+0800    FATAL   report error: unable to write results: unknown format: foo

After:

$ ./trivy image alpine:latest --format foo
2023-01-02T19:00:20.617+0800    FATAL   flag error: report flag error: unknown format: foo

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example in the description (if the PR is a user interface change).

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[knqyf263]

Thanks for your contribution! I left some comments.

[knqyf263]

Adding SupportedFormats may be better.

trivy/pkg/report/writer.go

Lines 35 to 37 in 3daf3df

	var (
	SupportedSBOMFormats = []string{FormatCycloneDX, FormatSPDX, FormatSPDXJSON, FormatGitHub}
	)

Suggested change

	switch format {
	case FormatTable, FormatJSON, FormatGitHub, FormatCycloneDX, FormatSPDX, FormatSPDXJSON, FormatTemplate, FormatSarif, FormatCosignVuln:
	return nil
	default:
	return xerrors.Errorf("unknown format: %v", format)
	}
	return slices.Contains(SupportedFormats, format)

[knqyf263]

Also, it would be great to replace these values with SupportedFormats.

trivy/pkg/flag/report_flags.go

Line 29 in a3eece4

Usage: "format (table, json, sarif, template, cyclonedx, spdx, spdx-json, github, cosign-vuln)",

[knqyf263]

Suggested change

	return ReportOptions{}, err
	return ReportOptions{}, xerrors.Errorf("unknown format: %v", format)

[blueskyson]

@knqyf263 Thanks for your suggestions. I also thought replacing independent strings with something like SupportedSBOMFormats is a better solution. Shall I replace the original strings with the slice or I just add the slice?

[knqyf263]

replace the original strings with the slice

What does it look like? I thought we would add the slice, but I would like to hear another approach.

[blueskyson]

Still learning Golang, I wrongly thought that I can treat Golang's slice as Cshap's enum which can be used in switch-case or test if a value belongs to one of the enums. Anyway, I finally implemented your suggestion.

[blueskyson]

Some of the unit tests in /pkg/flag/report_flags_test.go use "" as their format, so I make a wild card for "".

[knqyf263]

Thanks!