Add support for ECR GetLogin rule and manual-review rules

[aemous]

Description of changes:

• Add general architecture for creating new rules that do not suggest automatic fixes. Instead, these rules flag commands and suggest manual actions to take.
• Add new ECR GetLogin rule, which detects ecr get-login commands. If found, flags them as needing manual review.
• Update existing linting rules for better detection, including replacing brittle string patterns with more complex rules on the abstract syntax tree.
  • As a concrete example of a command that was previously missed but is now captured, aws --debug s3 cp s3://$SRC_BUCKET s3://$DEST_BUCKET. This would have been missed previously due to the --debug flag before the service subcommand, and the use of concatenation with the word s3:// and variable $SRC_BUCKET.
• Modify display_finding to make better use of difflib. Removes unneeded code.
• Add new tests covering the changes described above.

Description of tests:

• Ran and passed all tests.
• Successfully ran manual tests using the linter against test scripts.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.33%. Comparing base (c2db7d0) to head (33e490a).
⚠️ Report is 2 commits behind head on upgrade-linting-tool.

Additional details and impacted files

@@                  Coverage Diff                  @@
##           upgrade-linting-tool    #9948   +/-   ##
=====================================================
  Coverage                 93.33%   93.33%           
=====================================================
  Files                       209      209           
  Lines                     16807    16807           
=====================================================
  Hits                      15687    15687           
  Misses                     1120     1120           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[aemous]

Question for reviewer @hssyoo

Current state: We planned to merge the linter to the develop branch. This implies customers of v1 using our GH repo will now see the linter files in their repositories.

What are our thoughts on instead merge the linter to its own separate v1v2-linter branch? This branch could potentially be an orphan branch, which means it has a clean history, and does not branch off of any other branch. Alternatively, it can branch from develop, and then we can delete all CLI v1 related files from the linter branch. This also enabled us to cleanly have GH Actions that run only in the linter branch.

[hssyoo]

Question for reviewer @hssyoo

Current state: We planned to merge the linter to the develop branch. This implies customers of v1 using our GH repo will now see the linter files in their repositories.

What are our thoughts on instead merge the linter to its own separate v1v2-linter branch? This branch could potentially be an orphan branch, which means it has a clean history, and does not branch off of any other branch. Alternatively, it can branch from develop, and then we can delete all CLI v1 related files from the linter branch. This also enabled us to cleanly have GH Actions that run only in the linter branch.

Separate branch sounds good to me. Feel free to run with the option you think makes sense.

[hssyoo]

Looks good, just need to refine the ECR rule. Another bug that was missed in the last PR is that the hidden alias rule appends the alternative the command rather than replacing the hidden alias. eg:

-aws lightsail import-key-pair --key-pair-name mykey --public-key-base-64 c3NoLXJzYQ==
+aws lightsail import-key-pair --key-pair-name mykey --public-key-base-64 c3NoLXJzYQ== --public-key-base64