Trusty: Support blocking PRs through reviews

[puerco]

Summary

Minder now has the capability to request changes in PRs when it finds something odd based on Trusty dependency data.

This PR also introduces a new setting in the trusty ruletype configuration to disable blocking when malicious deps are detected (all power to the users, but why would you want that?!).

Fixes #3380
Part of #3379

Change Type

Mark the type of change your PR introduces:

• Bug fix (resolves an issue without affecting existing features)
• Feature (adds new functionality without breaking changes)
• Breaking change (may impact existing functionalities or require documentation updates)
• Documentation (updates or additions to documentation)
• Refactoring or test improvements (no bug fixes or new functionality)

Testing

Review Checklist:

• Reviewed my own code for quality and clarity.
• Added comments to complex or tricky code sections.
• Updated any affected documentation.
• Included tests that validate the fix or feature.
• Checked that related changes are merged.

[coveralls]

coverage: 51.877% (-0.04%) from 51.921%
when pulling 655058d on puerco:trusty-review
into cb61ff9 on stacklok:main.

[rdimitrov]

I don't have anything against, but I'll click the request changes in case someone decides to merge it before we resolve the comment 👍

[rdimitrov]

Isn't it safer if we invert this and don't rely on initialising the bool with true?

Also I think we can even delete this option in the Review action. I mean turning it on kind of overlaps with the other actions and if someone doesn't want Minder to block the PR, they can use some of them, right?

I think this is how the vulnerability/OSV rule works like, right?

[puerco]

Ah so the idea is that this option is for the review action. In addition to malicious, we will have another entry to block (or not) when deprecated packages are found. This will let users control when they want to block or just get feedback from minder separately for those two specific dependency types.

[puerco]

Also note that this is initializing missing map entries from the default settings here.

[jhrozek]

I'm actually fine with this config granularity @rdimitrov . The way I read it the action tells you the "what" to do with the PR and the "block" tells you which of the attributes to take into account when deciding whether to block. And I also think all of them should be on by default.

[rdimitrov]

Ah, thanks for flipping the setting! 😃 Yeah, my motivation was to keep vulncheck and trusty behaviour similar, but I agree on the functionality of this + we'll be refactoring that part so we might as well make it available for all PR related Minder actions not just Trusty.

[jhrozek]

A test with a malicious package went fine. As discussed with @puerco it would be nice to display a list of alternatives to the user also when flagging a malicous package, but this can be done in a separate PR.

[puerco]

In the rush to write this yesterday I noticed that the configuration flags I added didn't match those in the PRD. I rewrote the logic to rename the options and to make them configurable per ecosystem. @rdimitrov you'll be glad to see that the logic of the blocking flags is now flipped :)

This is the config block now, note that with the last push it is now configurable per ecosystem:

      action: review
      ecosystem_config:
        - name: npm
          score: 5
          allow_malicious: false
        - name: pypi
          score: 5
          allow_malicious: false
        - name: go
          score: 5
          allow_malicious: false

See mindersec/minder-rules-and-profiles#116 for the updated rule config