feat: add denylist to sbom verifier

[susanshi]

Description

What this PR does / why we need it:

• Add deny license and deny package properties to existing SBOM verifier

• License check is based on string matching, if licenseconcluded contains license from deny list, then the violation is returned in extension data of the verifier report
• Packages are matched on package name and package version, if no package version is provided, then all packages with this name is denied.

• Add e2e Cli test

Next PR: adding documentation and cluster E2E tests

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #1095

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

• Covered by e2e and unit test

Sample verification response based on denied license of MIT and GPL2.0
{
"subject": "huishwabbit1.azurecr.io/sbom@sha256:6fe8f00273c1acfee907e0674ffe33b5bf0a50f09a97bafeb0abdcb53904f766",
"isSuccess": false,
"name": "sbom",
"message": "SBOM validation failed.",
"extensions": {
"creationInfo": {
"created": "2023-11-29T01:44:41Z",
"creators": [
"Organization: Anchore, Inc",
"Tool: syft-0.76.0"
],
"licenseListVersion": "3.20"
},
"licenseViolation": [
{
"License": "GPL-2.0-only",
"Name": "alpine-baselayout",
"Version": "3.4.0-r0"
},
{
"License": "GPL-2.0-only",
"Name": "alpine-baselayout-data",
"Version": "3.4.0-r0"
},
{
"License": "MIT",
"Name": "alpine-keys",
"Version": "2.4-r1"
},
{
"License": "GPL-2.0-only",
"Name": "apk-tools",
"Version": "2.12.10-r1"
},
{
"License": "GPL-2.0-only",
"Name": "busybox",
"Version": "1.35.0-r29"
},
{
"License": "GPL-2.0-only",
"Name": "busybox-binsh",
"Version": "1.35.0-r29"
},
{
"License": "MPL-2.0 AND LicenseRef-AND AND MIT",
"Name": "ca-certificates-bundle",
"Version": "20220614-r4"
},
{
"License": "MIT",
"Name": "musl",
"Version": "1.2.3-r4"
},
{
"License": "MIT AND LicenseRef-AND AND BSD-2-Clause AND LicenseRef-AND AND GPL-2.0-or-later",
"Name": "musl-utils",
"Version": "1.2.3-r4"
},
{
"License": "GPL-2.0-only",
"Name": "scanelf",
"Version": "1.3.5-r1"
},
{
"License": "GPL-2.0-only",
"Name": "ssl_client",
"Version": "1.35.0-r29"
}
]
},
"artifactType": "application/spdx+json"
}
]
}

Checklist:

• Does the affected code have corresponding tests?
• Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
• Does this introduce breaking changes that would require an announcement or bumping the major version?
• Do all new files have appropriate license header?

Post Merge Requirements

• MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

[codecov]

Codecov Report

Attention: 14 lines in your changes are missing coverage. Please review.

Comparison is base (3485fc1) 54.46% compared to head (0f170a0) 54.92%.

Files	Patch %	Lines
plugins/verifier/sbom/sbom.go	84.44%	13 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1194      +/-   ##
==========================================
+ Coverage   54.46%   54.92%   +0.46%     
==========================================
  Files         103      104       +1     
  Lines        6696     6780      +84     
==========================================
+ Hits         3647     3724      +77     
- Misses       2722     2728       +6     
- Partials      327      328       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[akashsinghal]

Thanks for the PR @susanshi. now that we have added license filtering in the SBOM verifier, do you think we should mark the licensechecker external plugin as deprecated?

[binbin-li]

wonder if you've run Azure tests as well?

[susanshi]

o you think we should mark the licensechecker external plugin as deprecated?

TODO: create an issue to deprecate this

[susanshi]

wonder if you've run Azure tests as well?

Hi @binbin-li , does the Azure test only run on merge to main? Is there a specific concerns this would impact the azure test?

[susanshi]

Hi @binbin-li @junczhu @akashsinghal , i have pushed updates to address the feedback. please review when convenient, thanks!

[susanshi]

licensechecker external plugin as deprecated

issue created at , #1200

[binbin-li]

lgtm

[junczhu]

LGTM

[akashsinghal]

LGTM. I think there's one comment from @junczhu still outstanding?