feat: support dockerfile base image vulnerability scan

[xieshenzh]

Support scanning base image in dockerfile

Jira: https://issues.redhat.com/browse/APPENG-2253

Changed the RHDA plugin to support IntelliJ 2022.1+, due to breaking changes to the Docker plugin which is required for dockerfile scanning.

[xieshenzh]

@zvigrinberg Could you please take a look at this PR for dockerfile base image scanning? Thanks.

This PR depends on the changes of RHEcosystemAppEng/exhort-java-api#96

[zvigrinberg]

@xieshenzh in Overall good job
for what concern snyk token, let's either remove it completely ( as snyk integration is discontinued) , or just hide its label and text field ( there is a chance that there will be arrangement and agreement between us and snyk, so once it will happen, we can just toggle the two setVisible method' argument from false to true and that's it, rather than re-insert the code again , you call, either do that or keep snyk text field + label code aside in a topic branch in your fork or in the upstream repository , and in case snyk will do "comeback", then it will be easier to merge it instantly...

In addition, please let QE test this version according to the agreed scenarios , and once we get green light from them, and we removing either way the snyk token text field and label, we're good to go ( you just need to bump version of exhort-java-api to 0.0.7-SNAPSHOT after we'll merge exhort-java-api' Image scanning PR).

[xieshenzh]

@xieshenzh in Overall good job for what concern snyk token, let's either remove it completely ( as snyk integration is discontinued) , or just hide its label and text field ( there is a chance that there will be arrangement and agreement between us and snyk, so once it will happen, we can just toggle the two setVisible method' argument from false to true and that's it, rather than re-insert the code again , you call, either do that or keep snyk text field + label code aside in a topic branch in your fork or in the upstream repository , and in case snyk will do "comeback", then it will be easier to merge it instantly...

In addition, please let QE test this version according to the agreed scenarios , and once we get green light from them, and we removing either way the snyk token text field and label, we're good to go ( you just need to bump version of exhort-java-api to 0.0.7-SNAPSHOT after we'll merge exhort-java-api' Image scanning PR).

Thanks @zvigrinberg . I removed the code for snyk, the changes are in a separate commit. We can revert it if we want to support it again in the future.

[zvigrinberg]

@xieshenzh I Couldn't find any usages or references in this PR for the new EXHORT_SYFT_IMAGE_SOURCE property
I Remember that i saw it before as a setting implemented as radiobutton that let the user selecting the image source container runtime cli tool.
But maybe it exists and i just missed it.

[xieshenzh]

@xieshenzh I Couldn't find any usages or references in this PR for the new EXHORT_SYFT_IMAGE_SOURCE property I Remember that i saw it before as a setting implemented as radiobutton that let the user selecting the image source container runtime cli tool. But maybe it exists and i just missed it.

Hi @zvigrinberg ,

EXHORT_SYFT_IMAGE_SOURCE is used to specify the source from which Syft gets the images.

Originally, there are four values (radio buttons) for users to select in the plugin configuration:

• registry: get image directly from remote registry
• docker: get image from docker daemon offline
• podman: get image from podman daemon offline
• default: use docker, podman, and containerd daemons, if no success try the remote registry

Then I figured, the plugin always sends request to the exhort backend, it will not work offline.
And the default option covers all the other three options.
So I deleted this property, and simplified the plugin configuration.
The plugin will always use the default option.

But this property still exists in the exhort-java-api, in case there are more scenarios to support in the future (e.g. read image from local disk).

[zvigrinberg]

LGTM + Approved by QE.
Approved for merge and release.

[ritz303]

@xieshenzh : The content looks good to me.

[sonarcloud]

Quality Gate failed

Failed conditions
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

[xieshenzh]

@ruromero Could you please merge this PR? Thanks.