feat(report): update gitlab template to populate operating_system value

[aarongoldenthal]

Description

Update the gitlab.tpl container scanning template to populate the vulnerabilities[].location.operating_system value from the Target. The current template extracts the image from Target, but the OS is not used and has the value hardcoded as "operating_system": "Unknown". This update extracts the OS from Target, if specified (simply checking for ( in the Target), to populate the operating_system value (for example "operating_system": "alpine 3.10.2"). If not specified, the default of Unknown is used.

Related issues

• Partial fix for Trivy output split "target" into "target" and "system" aquasecurity/trivy#332 (for the GitLab template)

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[aarongoldenthal]

The existing test was updated to reflect the operating_system value being populated, but what's missing is a test with a report returning "operating_system": "Unknown". The example I was thinking of was an image FROM scratch with at least one vulnerability, but all of the existing container image test fixtures appear to use a known OS, so I thought I'd check before going that direction.

I did manually test against anchore/syft:v0.20.0 (I was looking for something older likely to have vulnerabilities, FROM scratch, and it was on my mind), and it did properly report "Unknown":

{
  ...
  "vulnerabilities": [
    {
      "id": "CVE-2024-24579",
      "name": "stereoscope vulnerable to tar path traversal when processing OCI tar archives",
      "description": "stereoscope is a go library for processing container images and simulating a squash filesystem.  Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the  `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.",
      "severity": "Medium",
      "solution": "Upgrade github.com/anchore/stereoscope to 0.0.1",
      "location": {
        "dependency": {
          "package": {
            "name": "github.com/anchore/stereoscope"
          },
          "version": "v0.0.0-20210817160504-0f4abc2a5a5a"
        },
        "operating_system": "Unknown",
        "image": "syft"
      },
      "identifiers": [
        {
          "type": "cve",
          "name": "CVE-2024-24579",
          "value": "CVE-2024-24579",
          "url": "https://avd.aquasec.com/nvd/cve-2024-24579"
        }
      ],
      "links": [{
          "url": "https://github.com/anchore/stereoscope"
        },{
          "url": "https://github.com/anchore/stereoscope/commit/09dacab4d9ee65ee8bc7af8ebf4aa7b5aaa36204"
        },{
          "url": "https://github.com/anchore/stereoscope/security/advisories/GHSA-hpxr-w9w7-g4gv"
        },{
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24579"
        }
      ]
    },
    ...
  ],
  ...
}