feat: add support for conan.lock file

[DmitriyLewen]

Description

Add support for conan.lock file.
Currently only the default conan lock file name (canon.lock) is supported.

example:

➜ ./trivy -q fs conan.lock 

conan.lock (conanlock)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                          Title                          │
├─────────┼───────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ openssl │ CVE-2022-0778 │ HIGH     │ 1.1.1k            │ 1.1.1n, 3.0.2 │ openssl: Infinite loop in BN_mod_sqrt() reachable when  │
│         │               │          │                   │               │ parsing certificates                                    │
│         │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-0778               │
│         ├───────────────┼──────────┤                   ├───────────────┼─────────────────────────────────────────────────────────┤
│         │ CVE-2021-4160 │ MEDIUM   │                   │ 1.1.1m, 3.0.3 │ openssl: Carry propagation bug in the MIPS32 and MIPS64 │
│         │               │          │                   │               │ squaring procedure                                      │
│         │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-4160               │
└─────────┴───────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

Related issues

• Close Add support for cpp/conan #2708

Related PRs

• #feat: add parser for canon.lock files go-dep-parser#128
• #feat(glad): add conan trivy-db#240

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[afdesk]

why can we just update go-dep-parser? or it's for testing

[DmitriyLewen]

You are right. It is for testing.
So we can see, that Trivy works correctly with these changes.

I will remove replace and update go-dep-parser version after merge #128.
I will also change status to ready for review

[CLAassistant]

All committers have signed the CLA.

[afdesk]

about conan I have only one concern about usecase when a package version is system, because i don't fully understand this moment.

[knqyf263]

about conan I have only one concern about usecase when a package version is system, because i don't fully understand this moment.

Me too. But we cannot detect vulnerabilities properly anyway if the version is system. Let's see how it goes.