Add command to scan apk files for vulnerabilities

[luhring]

This builds Grype-based vulnerability scanning directly into wolfictl, enabling the new command:

wolfictl scan <path/to/package.apk>

This is a more accurate means of scanning than the scanning script included in Wolfi, and enables a tight feedback loop for developers working on patching CVEs or adding new packages to the distro.

This implementation also paves the way for more productivity and advisory features, as scan data can be incorporated into advisory discovery and triage workflows.

This is definitely just an initial implementation, and I'm looking forward to usability feedback and suggestions to make it easier to manage CVEs in the distro! 😃

Update (2023-07-13):

• Now shows location where the package was found to indicate where the patch would need to be applied
• CVE and GHSA IDs are now hyperlinked in terminals that support hyperlinking to avoid the need for Googling
• Fixed information is now shown
• Multiple args (i.e. apk file paths) are now accepted

Preview:

$ wolfictl scan ./packages/aarch64/gradle-8-8.2.0-r0.apk
gradle-8-8.2.0-r0.apk
├── 📄 /usr/share/java/gradle/lib/guava-31.1-jre.jar
│       📦 guava 31.1-jre (java-archive)
│           Medium CVE-2023-2976 GHSA-7g45-4rm6-3mm3 fixed in 32.0.0
│
├── 📄 /usr/share/java/gradle/lib/h2-2.1.214.jar
│       📦 h2 2.1.214 (java-archive)
│           High CVE-2022-45868 GHSA-22wj-vf5f-wrvj fixed in 2.2.220
│
└── 📄 /usr/share/java/gradle/lib/plugins/ivy-2.3.0.jar
        📦 ivy 2.3.0 (java-archive)
            High CVE-2022-37866 GHSA-wv7w-rj2x-556x fixed in 2.5.1

[kaniini]

This is utterly amazing

[joshrwolf]

I think I love you