feat: support running detectors

[G-Rath]

This adds experimental support for having the scanner run detectors which are plugins aimed at identifying vulnerabilities through more interactive means than extractors such as by reading config files or making HTTP requests with crafted payloads.

Currently this does not have a lot of tests as only a handful of detectors exist and most are based on very specific situations which cannot be changed without shipping support for custom configuration (which is its own whole thing), but I have managed to at least get one with a positive finding using the weakcredentials/etcshadow detector scanning a custom image.

Also this does not remove the requirement of at least one extractor being enabled and a package found since that too would be a much larger change and with the current pool of detectors available being so limited I don't think it's appropriate to drop that requirement just yet.

Resolves #1969

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.61%. Comparing base (95d840a) to head (40f4490).
⚠️ Report is 455 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2021      +/-   ##
==========================================
+ Coverage   67.50%   67.61%   +0.11%     
==========================================
  Files         172      173       +1     
  Lines       16242    16293      +51     
==========================================
+ Hits        10964    11017      +53     
+ Misses       4603     4601       -2     
  Partials      675      675              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[G-Rath]

@another-rex turns out I just completely forgot about configuring the snapshot normalizers for JSON 🤦

I think this is good to go, and probably best to land as-is so it can be used, and get things improved in follow up, specifically:

• supporting it in more output formats
• reusing the detector building, in particular trying to leverage list.DetectorsFromName()
  • (I've started looking into this but frankly InitMap has been giving me a headache and I'm thinking it might be easier to tackle once we've refactored extractors in a similar manner per our convo the other day)

[G-Rath]

hmm so the failures on Windows are from detectors such as weakcreds/filesystem in the container tests, which is interesting as that detector should only run on a running Linux system which we're not in - I think this is because we are not actually doing any filtering and scalibr only applies its filtering in some situations? But I think it would be good to get a review and check-in from you either way so I'll wait to hear from you before digging deeper

[another-rex]

To make the detector presets more useful, I think we need to do the capabilities filtering ourselves on OSV-Scanner's side, and auto-disable detectors that have requirements that doesn't match.

I'm a bit confused on the windows specific errors, since for container scanning we should be scanning a linux system, even on windows, so I'm not sure why there are those errors appearing.

[another-rex]

We can probably invert some of these if statements

[another-rex]

I'm surprised this is running at all, since in ValidatePluginRequirements in scalibr it should fail if we are running some of these extractors on containers.

[another-rex]

Oh, ScanContainer is not checking for capabilities... that's not intended I believe.

[another-rex]

*and we are also not passing in any capabilities