feat: Packagesprops support

[yuriShafet]

Description

Adding support and documentation for Directory.packages.props and packages.props.
I am not 100% sure about documentation about transitive dependencies support.

Related issues

• Close Add support of .NET *Packages.props files. #5403

Related PRs

• adding packages.props and Directory.packages.props parser go-dep-parser#268

example of work:

➜  trivy fs ./Directory.Packages.props 
2023-11-22T13:50:17.728+0600    INFO    Vulnerability scanning is enabled
2023-11-22T13:50:17.729+0600    INFO    Secret scanning is enabled
2023-11-22T13:50:17.729+0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-22T13:50:17.729+0600    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-11-22T13:50:17.739+0600    INFO    Number of language-specific files: 1
2023-11-22T13:50:17.739+0600    INFO    Detecting packages-props vulnerabilities...

Directory.Packages.props (packages-props)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library     │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├─────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ Newtonsoft.Json │ GHSA-5crp-9r3c-p9vr │ HIGH     │ fixed  │ 9.0.1             │ 13.0.1        │ Improper Handling of Exceptional Conditions in    │
│                 │                     │          │        │                   │               │ Newtonsoft.Json                                   │
│                 │                     │          │        │                   │               │ https://github.com/advisories/GHSA-5crp-9r3c-p9vr │
└─────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[DmitriyLewen]

Hello @yuriShafet
Thanks for your work!

Left few comments.

Also 2 moments:

• please take a look at purl package. I think you need to add new type.
• can you add small integration test to repo_test?

[yuriShafet]

@DmitriyLewen
I added packagesprops to integration test. It seems that it is failing at the moment. I compiled trivy locally and executed manual scan of the test repo and got following output:

  ./trivy fs -f json --list-all-pkgs ../../integration/testdata/fixtures/repo/packagesprops/packages.props 
  
  2023-11-21T23:31:21.913-0500	INFO	Vulnerability scanning is enabled
  
  2023-11-21T23:31:21.913-0500	INFO	Secret scanning is enabled
  
  2023-11-21T23:31:21.914-0500	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
  
  2023-11-21T23:31:21.914-0500	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
  
  2023-11-21T23:31:21.915-0500	INFO	Number of language-specific files: 0
  
  {
  
    "SchemaVersion": 2,
  
    "CreatedAt": "2023-11-21T23:31:21.915709186-05:00",
  
    "ArtifactName": "../../integration/testdata/fixtures/repo/packagesprops/packages.props",
  
    "ArtifactType": "filesystem",
  
    "Metadata": {
  
      "ImageConfig": {
  
        "architecture": "",
  
        "created": "0001-01-01T00:00:00Z",
  
        "os": "",
  
        "rootfs": {
  
          "type": "",
  
          "diff_ids": null
  
        },
  
        "config": {}
  
      }
  
    }
  
  }

It seems packagesprops logic is not registered somewhere.

[DmitriyLewen]

@yuriShafet
Thanks for your work!

To save us time, I did a little refactoring and added a few comments.
Can you check and confirm that it is working correctly?

[DmitriyLewen]

We divide all language files into pre-build and post-build - https://aquasecurity.github.io/trivy/v0.47/docs/coverage/language/#supported-languages
Perhaps we should only scan Packages.props files in fs/repo mode?

[yuriShafet]

It is unlikely that packages.props will appear in post build phase, but I expect from packages.config would show the same behavior.
If we support packages.config in post-build phase, we should also support packages.props in post-build phase.

[yuriShafet]

By the way, same thing could be said about packages.lock.json. I think there will be mostly .dll files in post-build.

[yuriShafet]

Also, If I use my image for development purposes (For example I pre-build an image with the source code to run unit tests or some static code analysis), it is actually make sense to look for these artifacts

[DmitriyLewen]

You are right.
Looks like we need to use pre-build for all supported NuGet files.
But then NuGet packages will not be scanned in image mode.

Okay, let's use same logic for *Packages.props.

[yuriShafet]

@DmitriyLewen It seems that after your refactor all tests pass. Thanks. Are there any more questions/comments?

[DmitriyLewen]

@yuriShafet Thanks for your work and help!
I don't have more questions.

@knqyf263 I approved this PR. Take a look, when you have time, please.