Implement OpenScanHub initial reporting

[lbarcziova]

• in fedmsg repo, process the messages about OSH task states (see hub: add support for fedora messaging openscanhub/openscanhub#299 )
• create new event class for that and implement parsing of these
• create a model for a scan
• store the task in the DB somewhere here and instead of successful status there, report in-progress
• create a handler to report the results for the new event
  • obtain the task in our DB, update the state and report it to user
  • for now, just forward the URLs from the message (=> no additional processing)
  • take into consideration Add configurations for CI to fail on OSH scan failures and new findings #2515
  • by default don't fail the CI, have a look also into action_required conclusion from here, whether that could be used, or use neutral/successful
  • report neutral status for failed, cancelled or interrupted builds

---

Part of #2516

[siteshwar]

• by default don't fail the CI, have a look also into action_required conclusion from here, whether that could be used, or use neutral/successful
• report neutral status for failed, cancelled or interrupted builds

Please also see Code scanning results check failures.

[siteshwar]

by default don't fail the CI, have a look also into action_required conclusion from here, whether that could be used, or use neutral/successful

If you want to find out if new findings were detected, follow these steps:

• Download the added.js file.
• Run csgrep added.js and check if output is non-empty.
• If output is non-empty, it means there were new findings by the analzyers. Set the CI to action required state.
• Otherwise pass the CI.

EDIT: @kdudka Is there any other way to count number of findings in the reports?

[kdudka]

@siteshwar For simple scans, we can check whether the scan-results-summary.txt file is empty or not. Unfortunately, for differential scans, we do not provide such a file that would summarize the added.* results. We can still check whether added.err is empty or not.

[siteshwar]

And just to keep everybody in sync. The messages from OpenScanHub can be seen through:

fedora-messaging --conf /etc/fedora-messaging/fedora.toml consume --routing-key "org.fedoraproject.prod.openscanhub.task.*

[kdudka]

@siteshwar I can see that the URLs provided in Body: of messages about finished scans use the http:// scheme instead of https://. Consequently the scan results URLs, when used directly, return 302 Found instead of the real data.

[kdudka]

The problem may actually be more generic. I got an e-mail notification and the task URL also contained http:// URL. Something must be misconfigured in the Fedora deployment because the internal OSH instances use https:// URLs.