fix(repo): git CLI output mangles stdout

[knqyf263]

Description

When scanning a git repository with trivy repo, the progress of git clone is written to standard output, resulting in a parse error.

❯ trivy repository --format cyclonedx --scanners vuln file://. --debug | jq
2024-09-18T15:26:30-07:00   DEBUG   Cache dir   dir="/Users/patcal04/Library/Caches/trivy"
2024-09-18T15:26:30-07:00   DEBUG   Parsed severities   severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-09-18T15:26:30-07:00   DEBUG   Ignore statuses statuses=[]
2024-09-18T15:26:30-07:00   DEBUG   DB update was skipped because the local DB is the latest
2024-09-18T15:26:30-07:00   DEBUG   DB info schema=2 updated_at=2024-09-18T18:13:21.187484554Z next_update=2024-09-19T00:13:21.187484163Z downloaded_at=2024-09-18T20:24:17.597058Z
2024-09-18T15:26:30-07:00   INFO    Vulnerability scanning is enabled
2024-09-18T15:26:30-07:00   DEBUG   Vulnerability type  type=[library]
2024-09-18T15:26:30-07:00   DEBUG   Enabling misconfiguration scanners  scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-18T15:26:30-07:00   DEBUG   Initializing scan cache...  type="memory"
jq: parse error: Invalid numeric literal at line 1, column 12

It should be os.Stderr. https://github.com/aquasecurity/trivy/blob/dbd2dd60604fbcb5456a864a37d9c1b5a9e6f231/pkg/fanal/artifact/repo/git.go#L131

Discussed in https://github.com/aquasecurity/trivy/discussions/7544

[dangogh]

I can see a way to add a test for this (wrapper around NewArtifact that checks stdout). Is that the expectation? or simply change to stderr?

[knqyf263]

It would be great if you write a test, but it's not required.