fix(aqua-csp): Write report without vulnerability items

[danielpacak]

The Vulnerability CRD has schema validation which does not
allow persising null vulnerability items. It has to be an
empty array.

Signed-off-by: Daniel Pacak [email protected]

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@a22ba3d). Click here to learn what that means.
The diff coverage is 100.00%.

@@            Coverage Diff            @@
##             master       #9   +/-   ##
=========================================
  Coverage          ?   29.54%           
=========================================
  Files             ?        2           
  Lines             ?      176           
  Branches          ?        0           
=========================================
  Hits              ?       52           
  Misses            ?      123           
  Partials          ?        1           

Impacted Files	Coverage Δ
pkg/scanner/vulnerability/aqua/converter.go	78.78% <100.00%> (ø)
pkg/scanner/vulnerability/aqua/scanner.go	0.00% <0.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a22ba3d...da32262. Read the comment docs.

[lizrice]

lgtm! two little comments for your consideration

[lizrice]

Nit (which you are welcome to ignore!) - personally I marginally prefer simple declaration rather than zero-length make for slices, because it's one fewer allocation. That is absolutely negligible here so really not important!

[danielpacak]

Yes. I agree. I did that only for the side effect of JSON encoder, i.e. to serialize vulnerabilities property to [] instead of null. Otherwise OpenAPI schema validation that we have for vulnerabilities.aquasecurity.github.io would fail.

[lizrice]

Is it possible to get a report with some resources, but no vulnerabilities for those resources?

[danielpacak]

I believe it's not possible because we do not pass the --full-output flag to the scannercli scan command. However, we do ignore Negligible vulnerabilities, because we do not have such qualitative severity in the vulnerabilities CRD.