fix(cli): secret scanning perf link fix

[Moulick]

Description

Fixes the URL in the logs of the scanner

Related issues

• Close Incorrect URL in log for recommendation for faster secret detection #2606

Before

2022-07-27T18:57:49.498+0530	INFO	Vulnerability scanning is enabled
2022-07-27T18:57:49.498+0530	INFO	Secret scanning is enabled
2022-07-27T18:57:49.498+0530	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-27T18:57:49.498+0530	INFO	Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection

After

2022-07-27T18:57:49.498+0530	INFO	Vulnerability scanning is enabled
2022-07-27T18:57:49.498+0530	INFO	Secret scanning is enabled
2022-07-27T18:57:49.498+0530	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-27T18:57:49.498+0530	INFO	Please see also https://aquasecurity.github.io/trivy/v0.30.4/docs/secret/scanning/#recommendation for faster secret detection

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[knqyf263]

Hmm. We fixed it before.
#2422

@DmitriyLewen Could you look into what causes?

[Moulick]

My first thought was to add an if-else like

ver := fmt.Sprintf("v%s", opt.AppVersion)
if opt.AppVersion == "dev" {
  ver = opt.AppVersion
  }

which is like essentially reverting #2422

There are three sources of the version I see

1. If you simply do go build ./cmd/trivy, It defaults to dev. This produces a correct URL for dev.
2. If you do make build, make take the version from VERSION := $(shell git describe --tags --always), but this also creates an incorrect URL as this returns eg v0.30.4-3-g4be15455
3. If the build is produced by goreleaser, it strips the v and hence URL is broken

Currently, I have fixed it for goreleaser, I can also fix it for makefile

[DmitriyLewen]

Hello @knqyf263
we have 2 cases:

1. binaries built with goreleaser don't have v prefix:

➜  29.1 ./trivy -v
Version: 0.29.1

2. binaries built with make build have v prefix(looks like in #2422 used this case):

➜  git checkout v0.29.1
Note: switching to 'v0.29.1'.
...
➜  make build
go build -ldflags "-s -w -X=main.version=v0.29.1" ./cmd/trivy
➜  ./trivy -v
Version: v0.29.1

I think we need to create same logic for both cases:
add v prefix to goreleaser (as @Moulick did) or remove v prefix from Makefile and return this logic:

ver := fmt.Sprintf("v%s", opt.AppVersion)
if opt.AppVersion == "dev" {
  ver = opt.AppVersion
  }

I think logic of this PR better.

UPD.
I built image with goreleaser. Version number has v prefix.

➜  ./trivy -v
Version: v0.30.4-SNAPSHOT-4be15455

[knqyf263]

Version: v0.29.1

It's no big deal, but it looks weird to me. v means version,so it is like Version: version 0.29.1.

What if we remove v here?

trivy/Makefile

Line 1 in c2a7ad5

VERSION := $(shell git describe --tags --always)

[knqyf263]

And add v of course.

add v prefix to goreleaser (as @Moulick did) or remove v prefix from Makefile and return this logic:

[Moulick]

Version: v0.29.1

It's no big deal, but it looks weird to me. v means version,so it is like Version: version 0.29.1.

What if we remove v here?

trivy/Makefile

Line 1 in c2a7ad5

VERSION := $(shell git describe --tags --always)

Yes, doable. The documentation links will need to be updated to remove the v as well.

[knqyf263]

@Moulick Could you fix it as below?

1. Remove v here.
   

   trivy/Makefile

   Line 1 in c2a7ad5

   VERSION := $(shell git describe --tags --always)

2. Add v here as Dmitriy suggested, considering dev.
   

   trivy/pkg/commands/artifact/run.go

   Line 471 in e393ce1

   log.Logger.Infof("Please see also https://aquasecurity.github.io/trivy/%s/docs/secret/scanning/#recommendation for faster secret detection", opts.AppVersion)

[Moulick]

Should work as expected now.

[knqyf263]

@Moulick Thanks for your great contribution and patience!

[Moulick]

@knqyf263 I'd be curious about the comment I added above 🤔.

[knqyf263]

Which comment?

[Moulick]

I had added a review comment, I suppose GitHub did not send a notification. Attached a screenshot in case it's not visible for some reason 😅

[knqyf263]

aquasecurity/go-version is already used directly, while hashicorp/go-version is an indirect dependency. Also, we can easily modify that library as it is maintained by us.