Per vulnerability policy rules

[zregvart]

From #1180 (review), given that we have access to the full Clair vulnerability report, rather than the aggregate, this now enables per-vulnerability rules. For example term-based exclusion on a per-vulnerability basis.

[lcarva]

Today, if there's a critical CVE violation, EC will emit something like this: cve.cve_blockers:critical. This only allows users to exclude a violation based on the CVE severity not the CVE itself. This has its uses, e.g. you may want a more lenient config to gate promotion to staging vs production.

However, what has become increasingly clear is that excluding all the CVEs for a particular severity is too heavy handed in most cases. Thus this GitHub issue.

Let's tweak the existing policy rules to emit violations like this: cve.cve_blockers:CVE-123-456. This will allow users to ignore a certain CVE. However, a violation can only emit a single term (the thing after :). Users will no longer be able to use cve.cve_blockers:critical to ignore a whole severity of CVEs. To still allow that use case, users can override the rule data instead, e.g. restrict_cve_security_levels.

So for example, if this is your current policy config:

---
spec:
  sources:
    - data:
        - github.com/release-engineering/rhtap-ec-policy//data
        - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
      name: Release Policies
      policy:
        - oci::quay.io/enterprise-contract/ec-release-policy:latest
      config:
        exclude:
          - cve.cve_blockers:critical
        include:
          - "@redhat"

If you want to continue excluding all critical CVEs, then:

---
spec:
  sources:
    - data:
        - github.com/release-engineering/rhtap-ec-policy//data
        - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
      name: Release Policies
      policy:
        - oci::quay.io/enterprise-contract/ec-release-policy:latest
      ruleData:
         # Override default value to exclude "critical"
         restrict_cve_security_levels: ["high"]
         # Optionally, report "critical" as a warning
         warn_cve_security_levels: ["critical"]
      config:
        include:
          - "@redhat"

And if you want to only exclude a single CVE:

---
spec:
  sources:
    - data:
        - github.com/release-engineering/rhtap-ec-policy//data
        - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
      name: Release Policies
      policy:
        - oci::quay.io/enterprise-contract/ec-release-policy:latest
      config:
        exclude:
          - cve.cve_blockers:CVE-123-456
        include:
          - "@redhat"

Of course, this will require a small migration of the existing EC policy configs, but I do believe this will bring us to a much better state.

(There's also the desire to only apply an exclusion to some of the components. That is orthogonal to this work.)

[simonbaird]

I like it.