feat(azure): add support for azurelinux OVAL

[tofay]

As part of aquasecurity/trivy#6673, add support for reading the azure linux 3.0 OVAL which resides alongside the cbl-mariner 1.0 and 2.0 OVAL.

I thought it sensible to use the same package in this repo for mariner and azure linux since the OVAL parsing is the same for both.

[knqyf263]

Thanks for your contribution! While it looks good, we also need to update trivy-db before merging this PR. Otherwise, it also inserts Azure Linux 3.0 into trivy-db as CBL-Mariner 3.0.

[tofay]

It sounds like separating mariner and azure info in the vuln-list directory will make compatibility between the trivy repos simpler, and potentially allow easier removal of CBL-Mariner in future when 2.0 is EOL?

[tofay]

I've done that separation now, but happy to revert and update trivy-db to rename mariner/3.0 to azurelinux if you prefer that approach.

[knqyf263]

It sounds like separating mariner and azure info in the vuln-list directory will make compatibility between the trivy repos simpler, and potentially allow easier removal of CBL-Mariner in future when 2.0 is EOL?

Sounds like a plan.

[DmitriyLewen]

Hello @tofay
Thanks for your work.

I left some comments on the refactoring.

I also think we can start using Azure Linux in GH action:

vuln-list-update/.github/workflows/update.yml

Lines 86 to 88 in 80e370d

	- if: always()
	name: CBL-Mariner Vulnerability Data
	run: ./scripts/update.sh mariner "CBL-Mariner Vulnerability Data"

[DmitriyLewen]

LGTM

@knqyf263 take a look, when you have time, please.

[knqyf263]

Sorry to be late. We're now targeting this support for v0.54.0. I'll review it shortly.
aquasecurity/trivy#6673