ci: fix osv vulnerability and license scans and add license overrides

[shahar-h]

What this PR does / why we need it:

• Disable call analysis in both osv vulnerability and license scans until [GitHub Action] scan fails on go projects that import C code google/osv-scanner#1220 is resolved.

• Add license overrides for packages with unidentified licenses and for packages which got license exception from CNCF.

• Move osv-scanner config file to default location (osv-scanner.toml) in order to make it reusable also by openssf-scorecard.

• There are 2 remaining packages with an unapproved license (both have MPL-2.0 license):

  • github.com/hashicorp/go-getter
  • github.com/hashicorp/go-safetemp - imported by github.com/hashicorp/go-getter

  See related CNCF issue regarding license exception request for these packages: [License Exception Request] Additional Hashicorp libraries under MPL / MIT cncf/foundation#624.
  We can either wait for this issue to be resolved (it's quite old) or consider to remove github.com/hashicorp/go-getter usage.

  We can get rid of github.com/hashicorp/go-getter package by replacing the usage of convert.ValidateOutputPath function with a local copy. This is the function: https://github.com/replicatedhq/troubleshoot/blob/main/pkg/convert/output.go#L10-L19

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.93%. Comparing base (301eedd) to head (e458c7e).
Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4157      +/-   ##
==========================================
- Coverage   67.94%   67.93%   -0.02%     
==========================================
  Files         187      187              
  Lines       23019    23019              
==========================================
- Hits        15641    15637       -4     
- Misses       6264     6267       +3     
- Partials     1114     1115       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[guydc]

LGTM, Thanks!

[guydc]

We can get rid of github.com/hashicorp/go-getter package by replacing the usage of convert.ValidateOutputPath function with a local copy. This is the function: https://github.com/replicatedhq/troubleshoot/blob/main/pkg/convert/output.go#L10-L19

@zirain - WDYT? Do you see other uses for this lib? if not, by replacing it, we can finally start enforcing OSV scans.

[zirain]

We can get rid of github.com/hashicorp/go-getter package by replacing the usage of convert.ValidateOutputPath function with a local copy. This is the function: https://github.com/replicatedhq/troubleshoot/blob/main/pkg/convert/output.go#L10-L19

@zirain - WDYT? Do you see other uses for this lib? if not, by replacing it, we can finally start enforcing OSV scans.

it's fine to replace.

[zirain]

we change change it to zipkin or other backend.
does loki has same problem?

[shahar-h]

Loki has the same AGPL-3.0 license.

[shahar-h]

/retest

[shahar-h]

We can get rid of github.com/hashicorp/go-getter package by replacing the usage of convert.ValidateOutputPath function with a local copy. This is the function: https://github.com/replicatedhq/troubleshoot/blob/main/pkg/convert/output.go#L10-L19

@zirain - WDYT? Do you see other uses for this lib? if not, by replacing it, we can finally start enforcing OSV scans.

it's fine to replace.

I'll open a separate PR for this.