Add agentless-scanner software

[0intro]

What does this PR do?

This change adds the agentless-scanner software.

The agentless-scanner fetches software package data from cloud resources, which is forwarded to Datadog for vulnerability scans.

The cmd/agentless-scanner and pkg/agentless code is based on the jinroh/side-scanner branch.

Motivation

Additional Notes

Possible Drawbacks / Trade-offs

Describe how to test/QA your changes

[pr-commenter]

Bloop Bleep... Dogbot Here

Regression Detector Results

Run ID: 3c1210c8-6fdc-4859-a10a-9cf9db0ff617
Baseline: 9923959
Comparison: 6d17889

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI
➖	file_to_blackhole	% cpu utilization	+0.64	[-5.96, +7.25]

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI
➖	basic_py_check	% cpu utilization	+1.36	[-0.90, +3.63]
➖	file_to_blackhole	% cpu utilization	+0.64	[-5.96, +7.25]
➖	tcp_syslog_to_blackhole	ingress throughput	+0.05	[-0.01, +0.10]
➖	trace_agent_json	ingress throughput	+0.01	[-0.02, +0.03]
➖	trace_agent_msgpack	ingress throughput	+0.01	[-0.01, +0.02]
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.00	[-0.00, +0.00]
➖	uds_dogstatsd_to_api	ingress throughput	-0.00	[-0.00, +0.00]
➖	otel_to_otel_logs	ingress throughput	-0.09	[-0.72, +0.54]
➖	process_agent_standard_check_with_stats	memory utilization	-0.13	[-0.16, -0.09]
➖	file_tree	memory utilization	-0.18	[-0.25, -0.10]
➖	idle	memory utilization	-0.25	[-0.29, -0.22]
➖	process_agent_standard_check	memory utilization	-0.65	[-0.68, -0.61]
➖	process_agent_real_time_mode	memory utilization	-0.66	[-0.70, -0.63]
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	-0.79	[-2.21, +0.64]

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

[cswatt]

Suggested change

	Introduce the agentless-scanner.
	Introduce the Agentless scanner.

[0intro]

Done.

[chouquette]

LGTM for the only agent-platform/barx owned file

[0intro]

Hi @DataDog/documentation.
I've updated the release notes to add a description of the agentless-scanner. Could you please take another look and let me know if it looks good to you?
Thanks.

[hush-hush]

We usually try to have only the CLI in cmd folder and the core logic for the product in comp if it has a state or pkg if it's pure helpers functions.
Could we split the agentless to follow this pattern ?

[0intro]

I've moved the agentless packages to the pkg/agentless directory.

[hush-hush]

You seems to have internal state which point toward comp folder instead. We aim for the pkg folder to be stateless at some point.

[0intro]

Which internal state are you referring to?

[hush-hush]

The configuration need to be setup/loaded correctly before being used. We also deprecated using the config package directly in favor of the component project (see comp folder`).
If you reuse existing code you should migrate the agentless logic to component. ASC team is happy to help with this.

[0intro]

We already use components for log and config.
See https://github.com/DataDog/datadog-agent/pull/23484/files#diff-b8a0f435748d226bbe4ceef46dc31888a5553823587d0ce1190d51f246ae65e8R68

[ogaca-dd]

Note: In this case it should be easy to use config.Component instead of pkgconfig.Datadog.

[0intro]

Done.

[hush-hush]

Same for log, is needs to be setup/configured correctly before being use (to take into account the configuration). Using component will also solve this for you.

[0intro]

We already use components for log and config.
See https://github.com/DataDog/datadog-agent/pull/23484/files#diff-b8a0f435748d226bbe4ceef46dc31888a5553823587d0ce1190d51f246ae65e8R68

[0intro]

Done.

[hush-hush]

Also, side question: this looks like a code import from another repo (8k new lines in a single commit).

If' it's the case, could we keep the code history from the original repo ?

[0intro]

Also, side question: this looks like a code import from another repo (8k new lines in a single commit).

If' it's the case, could we keep the code history from the original repo ?

This is an import from the following branch: jinroh/side-scanner (based on 7.51.x branch).

I'd love to import the commit history into this PR (or rather a cleaned-up history), however it will be unfortunately squashed into a single commit by the now mandatory /merge command.

Of course, we plan to keep the development history in a branch called ducolombier/agentless-scanner-7.51 or something like that.

[hush-hush]

Also, side question: this looks like a code import from another repo (8k new lines in a single commit).
If' it's the case, could we keep the code history from the original repo ?

This is an import from the following branch: jinroh/side-scanner (based on 7.51.x branch).

I'd love to import the commit history into this PR (or rather a cleaned-up history), however it will be unfortunately squashed into a single commit by the now mandatory /merge command.

Of course, we plan to keep the keep the developement history in a branch called ducolombier/agentless-scanner-7.51 or something like that.

You can use /merge -c rebase to use the merge queue with a rebase strategy.

[0intro]

I'd like to clarify that the agentless-scanner command is a bit different than the other existing commands, because it's autonomous and very independent from the rest of the agent:

• It only depends on the config, log and remoteconfig components from the agent.
• It's packaged independently from the other commands, in its own datadog-agentless-scanner RPM or DEB package.
• Technically, it could live in its own repository, but we chose to integrate into the datadog-agent repository, so we could reuse the existing CI and release management process.

[cit-pr-commenter]

Go Package Import Differences

This comment was omitted because it was over 65,536 characters. Please check the Gitlab Job logs to see its output.