feat(sca): add conan (C++) ecosystem

[salolivares]

This PR adds the Conan C++ package manager to the ecosystem type.

• I ran make setup && make to update the generated code after editing a .atd file (TODO: have a CI check)
• I made sure we're still backward compatible with old versions of the CLI.
  For example, the Semgrep backend need to still be able to consume data generated
  by Semgrep 1.17.0.
  See https://atd.readthedocs.io/en/latest/atdgen-tutorial.html#smooth-protocol-upgrades

[github-actions]

Backwards compatibility summary:

Checking backward compatibility of semgrep_output_v1.atd against past version v1.49.0
Skipping v1.50.0 because commit 857682f41eb09e0b330a247ff1adf3bfeaf9d9ca has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.52.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.53.0
Skipping v1.54.0 because commit 3b72d494260258497e796d094b1a4916501a6df1 has already been checked
Skipping v1.54.1 because commit 3b72d494260258497e796d094b1a4916501a6df1 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.54.2
Skipping v1.54.3 because commit 9f1c50383a9a9969e2fe7a5f9bff9ca0a7c837bb has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.55.0
Skipping v1.55.1 because commit 6dffeaa692153fd33b4f154fddaefde1f2f1ae27 has already been checked
Skipping v1.55.2 because commit 6dffeaa692153fd33b4f154fddaefde1f2f1ae27 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.56.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.57.0
Skipping v1.58.0 because commit 4cc11b00d411c02fc611aa8c78a336520438fb48 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.59.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.59.1
Checking backward compatibility of semgrep_output_v1.atd against past version v1.60.0
Skipping v1.60.1 because commit eed58a091fd7d19e402a6d4cf2d287e137215d03 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.61.0
Skipping v1.61.1 because commit bbfd1c5b91bd411bceffc3de73f5f0b37f04433d has already been checked
Skipping v1.62.0 because commit bbfd1c5b91bd411bceffc3de73f5f0b37f04433d has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.63.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.64.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.65.0
Skipping v1.66.0 because commit 3e7bbafa2b7e722d893303a7fb90a83dab6737a7 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.66.1
Skipping v1.66.2 because commit 215a54782174de84f97188632b4a37e35ba0f827 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.67.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.68.0
Skipping v1.69.0 because commit d5b91fa4f6a03240db31e9bbbc5376a99bc8eeea has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.70.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.71.0
Skipping v1.72.0 because commit 75abf193687b84ab341d8267d865ad68d81a89c9 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.73.0
Skipping v1.74.0 because commit 9f38254957c50c68ea402eebae0f7aa40dd01cbf has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.75.0
Skipping v1.76.0 because commit 9102031608aa4154e1c37f557550ec4eabc8780c has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.77.0
Skipping v1.78.0 because commit dcb5d77b420ddee61f58aadd3c2c7aef38778154 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.79.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.80.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.81.0
Skipping v1.82.0 because commit 9e0f3bec26b07b4fb6753a32cb75277f45f2572c has already been checked
Skipping v1.83.0 because commit 9e0f3bec26b07b4fb6753a32cb75277f45f2572c has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.84.0
Skipping v1.84.1 because commit 3daef49297ada205359cc1d2996354c94b628b0d has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.85.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.86.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.87.0
Skipping v1.88.0 because commit 512c0bd97db59c48a5705b2741662a338776e438 has already been checked
Skipping v1.89.0 because commit 512c0bd97db59c48a5705b2741662a338776e438 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.90.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.91.0
Skipping v1.92.0 because commit 2351c5e528cb7430422208dc66707894c066b508 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.93.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.94.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.95.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.96.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.97.0

[aaronmichaelacosta]

Assuming you follow the correct steps after making the change, it LGTM

[bkettle]

I wonder if this is the best approach here. It may be, but it also feels slightly awkward because we don't technically support this ecosystem from a SCA rules standpoint yet (and C++ is weird enough that I personally am not super confident that Conan really fits our idea of an "ecosystem").

For package managers that we don't yet support, I wonder if it would make more sense to add an unknown ecoosystem or, probably better, allow ecosystem to be optional in the places where we convert from lockfile kind to ecosystem. What do you think?

[salolivares]

and C++ is weird enough that I personally am not super confident that Conan really fits our idea of an "ecosystem"

This is something I’ve been grappling with as well, and I agree with this sentiment. C++ doesn’t have a single, universally adopted package manager, and introducing conan as an ecosystem sets the expectation that we’ll add other C++ package managers as separate ecosystems. that doesn’t feel like the right approach.

allow ecosystem to be optional in the places where we convert from lockfile kind to ecosystem.

I think this makes a lot of sense and is probably the direction I’ll take. It gives us the flexibility to handle unsupported or edge-case scenarios like this.

That said, we’ll likely need to support C++ package managers in the future, and when that happens, we’ll still need a way to define an overarching ecosystem. Following the Python approach (Pypi), we could introduce something like CPlusPlus to represent the broader ecosystem (assuming ++ isn’t allowed in the type name).

[bkettle]

That said, we’ll likely need to support C++ package managers in the future, and when that happens, we’ll still need a way to define an overarching ecosystem. Following the Python approach (Pypi), we could introduce something like CPlusPlus to represent the broader ecosystem (assuming ++ isn’t allowed in the type name).

Yeah, I think this will require some thought when we get there. It feels odd because while there are different package managers for python, AFAIK they all use the same basic registry definition defined by Python, but that's not the case for C++ (there is no such concept of a registry in the language spec afaik). This sounds reasonable for now and for the general case of unsupported subproject types.

[salolivares]

closing. need a larger discussion on what a C++ ecosystem should look like.