Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add only-fixed option #208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 18, 2023
Merged

Add only-fixed option #208

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,3 +121,4 @@ typings/
# Action temporary files
results.sarif
vulnerabilities.json
results.json
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
| `fail-build` | Fail the build if a vulnerability is found with a higher severity. That severity defaults to `medium` and can be set with `severity-cutoff`. | `true` |
| `output-format` | Set the output parameter after successful action execution. Valid choices are `json`, `sarif`, and `table`, where `table` output will print to the console instead of generating a file. | `sarif` |
| `severity-cutoff` | Optionally specify the minimum vulnerability severity to trigger a failure. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium". | `medium` |
| `only-fixed` | Specify whether to only report vulnerabilities that have a fix available. | `false` |

### Action Outputs

Expand Down
4 changes: 4 additions & 0 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ inputs:
description: 'Optionally specify the minimum vulnerability severity to trigger an "error" level ACS result. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium".'
required: false
default: "medium"
only-fixed:
description: "Specify whether to only report vulnerabilities that have a fix available. Default is false."
required: false
default: "false"
outputs:
sarif:
description: "Path to a SARIF report file for the image"
Expand Down
9 changes: 8 additions & 1 deletion dist/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,10 +103,12 @@ async function run() {
const failBuild = core.getInput("fail-build") || "true";
const outputFormat = core.getInput("output-format") || "sarif";
const severityCutoff = core.getInput("severity-cutoff") || "medium";
const onlyFixed = core.getInput("only-fixed") || "false";
const out = await runScan({
source,
failBuild,
severityCutoff,
onlyFixed,
outputFormat,
});
Object.keys(out).map((key) => {
Expand All @@ -117,7 +119,7 @@ async function run() {
}
}

async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFormat }) {
const out = {};

const env = {
Expand Down Expand Up @@ -147,6 +149,7 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
}

failBuild = failBuild.toLowerCase() === "true";
onlyFixed = onlyFixed.toLowerCase() === "true";

cmdArgs.push("-o", outputFormat);

Expand Down Expand Up @@ -179,6 +182,7 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
core.debug("Source: " + source);
core.debug("Fail Build: " + failBuild);
core.debug("Severity Cutoff: " + severityCutoff);
core.debug("Only Fixed: " + onlyFixed);
core.debug("Output Format: " + outputFormat);

core.debug("Creating options for GRYPE analyzer");
Expand All @@ -190,6 +194,9 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
cmdArgs.push("--fail-on");
cmdArgs.push(severityCutoff.toLowerCase());
}
if (onlyFixed === true) {
cmdArgs.push("--only-fixed");
}
cmdArgs.push(source);

// This /dev/null writable stream is required so the entire Grype output
Expand Down
9 changes: 8 additions & 1 deletion index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,10 +89,12 @@ async function run() {
const failBuild = core.getInput("fail-build") || "true";
const outputFormat = core.getInput("output-format") || "sarif";
const severityCutoff = core.getInput("severity-cutoff") || "medium";
const onlyFixed = core.getInput("only-fixed") || "false";
const out = await runScan({
source,
failBuild,
severityCutoff,
onlyFixed,
outputFormat,
});
Object.keys(out).map((key) => {
Expand All @@ -103,7 +105,7 @@ async function run() {
}
}

async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFormat }) {
const out = {};

const env = {
Expand Down Expand Up @@ -133,6 +135,7 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
}

failBuild = failBuild.toLowerCase() === "true";
onlyFixed = onlyFixed.toLowerCase() === "true";

cmdArgs.push("-o", outputFormat);

Expand Down Expand Up @@ -165,6 +168,7 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
core.debug("Source: " + source);
core.debug("Fail Build: " + failBuild);
core.debug("Severity Cutoff: " + severityCutoff);
core.debug("Only Fixed: " + onlyFixed);
core.debug("Output Format: " + outputFormat);

core.debug("Creating options for GRYPE analyzer");
Expand All @@ -176,6 +180,9 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
cmdArgs.push("--fail-on");
cmdArgs.push(severityCutoff.toLowerCase());
}
if (onlyFixed === true) {
cmdArgs.push("--only-fixed");
}
cmdArgs.push(source);

// This /dev/null writable stream is required so the entire Grype output
Expand Down
2 changes: 2 additions & 0 deletions tests/grype_command.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ describe("Grype command", () => {
outputFormat: "sarif",
severityCutoff: "high",
version: "0.6.0",
onlyFixed: "false",
});
expect(cmd).toBe("grype -o sarif --fail-on high dir:.");
});
Expand All @@ -42,6 +43,7 @@ describe("Grype command", () => {
outputFormat: "json",
severityCutoff: "low",
version: "0.6.0",
onlyFixed: "false",
});
expect(cmd).toBe("grype -o json --fail-on low asdf");
});
Expand Down
1 change: 1 addition & 0 deletions tests/sarif_output.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ const testSource = async (source, vulnerabilities) => {
failBuild: "false",
outputFormat: "sarif",
severityCutoff: "medium",
onlyFixed: "false",
});

// expect to get sarif output
Expand Down