feat(misconf): Add minimum supported version

[simar7]

Description

Today trivy supports the ability to load any check, regardless of whether or not it has the ability to actually run it. This is the case for those checks where the support for a new service or provider is added.

This leads to situations where an older version of Trivy can download a new check for which it may not have the support for. In such a case today we don't evaluate the check and end up skipping it.

Solution

A more optimized approach in such a case would be to add a metadata annotation to the check itself, which could specify the "minimum trivy version" needed to run that particular check. This would then be used by the Trivy CLI to determine if it makes sense for it to load that particular check or not.

Example

An example of this could look like the following (details omitted for brevity):

# METADATA
# title: "Runtime/Default Seccomp profile not set"
# description: "Some description text"
# scope: package
# minimum_trivy_version: v0.60
# schemas:
# - input: schema["kubernetes"]
# related_resources:
# - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

In this case a trivy version semantically higher than v0.60 would be able to load this check. As we only introduce new features in a minor release (not a patch), we can omit checking/specifying for the patch release version.

[nikpivkin]

We discussed this here aquasecurity/trivy-checks#352 . By the way, custom fields should be in the custom field. For example:

# custom:
#   minimum_trivy_version: v0.60

[simar7]

We discussed this here aquasecurity/trivy-checks#352 . By the way, custom fields should be in the custom field. For example:

# custom:
#   minimum_trivy_version: v0.60

Actually I think this field should be required going forwards. That's the only way to ensure that it's specified in new checks or else we will get into situations where it's not specified.