Be able to fail if high severity CVES are found than the one specified in clair_output

[sudhirpandey]

As it stands now clair will only fail if number of cves found are greater than threshold, but there is also clairout that shows the CVEs we are interested in.

But we wanted to have combination of these two. say we have 4 high ones and 1 critical one, (total 5)

if we have set the threshold limit to be 6 then clairout to be hight, we were under the impression that pass up to 6 high prio cvsm but if any criticals are obeserved we dont want to pass that.

So we make sure that if any CVEs are observed beyond specified in clairout then the pipeline will fail , no matter the threshold is met or not. If higer prio cves is not seen then threshold would still act to fail or move the pipeline forward

[hashmap]

Thanks for the contribution! It's valuable addition, but do you think it should be the default behavior? Perhaps we should add a flag which enables it?

[sudhirpandey]

Thanks for the feedback, at least i would assume when setting threshold on counts and clair_output , that threshold would implies to only CVES from clair_output. But we could also make it as switch so that if some users feel like me, they could turn it on.

[hashmap]

@sudhirpandey I see your point, actually my domain model is outdated, I was referring to Klar original behavior, it's not true anymore, I just checked it. Thanks!

[hashmap]

@sudhirpandey I'm ready to merge it, but github shows that formatting is odd, would you mind to run gofmt and update the pr?