fix: improve vuln report verifier report messages

[akashsinghal]

Description

What this PR does / why we need it:

• Updates vuln report verifier report message to be more user friendly

Sample Deny List CVE message:

{
      "subject": "artifactstest.azurecr.io/vuln/alpine:3.18.2",
      "isSuccess": false,
      "name": "vulnerabilityreport",
      "message": "Validation failed: found denied CVEs. See extensions field for details.",
      "extensions": {
        "createdAt": "2023-10-13T22:22:50Z",
        "denylistCVEs": [
          "CVE-2022-48174-busybox"
        ],
        "scanner": "grype",
        "cveViolations": [
          "cve-2022-48174-busybox"
        ]
      },
      "artifactType": "application/sarif+json"
}

Sample disallowed severity message:

{
      "subject": "artifactstest.azurecr.io/vuln/alpine:3.18.2",
      "isSuccess": false,
      "name": "vulnerabilityreport",
      "message": "Validation failed: found disallowed severities. See extensions field for details.",
      "extensions": {
        "createdAt": "2023-10-13T21:16:58Z",
        "disallowedSeverities": [
          "critical"
        ],
        "scanner": "trivy",
        "severityViolations": {
          "CVE-2022-48174": "critical"
        }
      },
      "artifactType": "application/sarif+json"
}

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

• Test A
• Test B

Checklist:

• Does the affected code have corresponding tests?
• Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
• Does this introduce breaking changes that would require an announcement or bumping the major version?
• Do all new files have appropriate license header?

Post Merge Requirements

• MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

[codecov]

Codecov Report

Attention: 3 lines in your changes are missing coverage. Please review.

Comparison is base (23b143d) 61.43% compared to head (c7a8739) 61.44%.

Files	Patch %	Lines
...rifier/vulnerabilityreport/vulnerability_report.go	89.28%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1238      +/-   ##
==========================================
+ Coverage   61.43%   61.44%   +0.01%     
==========================================
  Files          97       97              
  Lines        6179     6181       +2     
==========================================
+ Hits         3796     3798       +2     
  Misses       2051     2051              
  Partials      332      332              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[yizha1]

@akashsinghal

My proposals for the message:

1. Validation failed: found denied CVEs. See extensions field for details.
2. Validation failed: found disallowed severities. See extensions field for details.

One more comment about the name of the field

Maybe we can also align the name between violatingCVEs and severityViolations. Either name both of them as violations or separately cveViolations and severityViolations

[akashsinghal]

@yizha1 thanks for the suggestions. I have incorporated the message exactly as you had suggested. I've updated the sample outputs in the description of the PR. Please take a look when you have a chance. Thanks.

[susanshi]

LGTM. thanks