Skip to content

Commit

Permalink
feat(output): show package view for container scanning table result (#…
Browse files Browse the repository at this point in the history 
…1407)

Fixes #1315

For container scanning, instead of listing hundreds of vulnerabilities,
the output now shows the affected packages.

**Changes:**
- Added a summary listing the number of affected packages and
vulnerabilities, including severity counts and the number of fixable
vulnerabilities.
- Grouped results by ecosystem and source.
- Added a prompt message to inform users about the HTML and vertical
output options.

**Future Plans (to be implemented after the comprehensive layer and base
image information are available):**

- Add a layer info summary.
- Add base image information.

**Sample output:**
![Screenshot 2024-11-19 at 4 53
49 PM](https://github.com/user-attachments/assets/970c2beb-9d10-4803-a81a-9dc5b768fc5b)
![Screenshot 2024-11-19 at 4 53
58 PM](https://github.com/user-attachments/assets/627363bf-00cc-4a9e-9984-315dc2c9752a)
  • Loading branch information
@hogo6002
hogo6002 authored Nov 20, 2024
1 parent dd3d1ab commit 7fc8567
Show file tree
Hide file tree
Showing 4 changed files with 286 additions and 72 deletions.
172 changes: 115 additions & 57 deletions cmd/osv-scanner/__snapshots__/main_test.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2607,12 +2607,21 @@ Scanned <rootdir>/fixtures/maven-transitive/pom.xml file and found 3 packages

[TestRun_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file - 1]
Scanning image ../../internal/image/fixtures/test-alpine.tar
+--------------------------------+------+--------------+---------+-----------+---------------------------------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+--------------------------------+------+--------------+---------+-----------+---------------------------------------------------------------------+
| https://osv.dev/CVE-2018-25032 | 7.5 | Alpine:v3.18 | zlib | 1.2.11-r1 | ../../internal/image/fixtures/test-alpine.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2022-37434 | 9.8 | Alpine:v3.18 | zlib | 1.2.11-r1 | ../../internal/image/fixtures/test-alpine.tar:/lib/apk/db/installed |
+--------------------------------+------+--------------+---------+-----------+---------------------------------------------------------------------+
Total 1 packages affected by 2 vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
2 vulnerabilities have fixes available.

Alpine:v3.18
+----------------------------------------------------------+
| Source:docker:../../internal/image/fixtures/test-alpine. |
| tar:/lib/apk/db/installed |
+---------+-------------------+---------------+------------+
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
+---------+-------------------+---------------+------------+
| zlib | 1.2.11-r1 | Fix Available | 2 |
+---------+-------------------+---------------+------------+

For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.

---

Expand All @@ -2632,14 +2641,21 @@ failed to load image ./fixtures/oci-image/no-file-here.tar: open ./fixtures/oci-

[TestRun_OCIImage/scanning_node_modules_using_npm_with_no_packages - 1]
Scanning image ../../internal/image/fixtures/test-node_modules-npm-empty.tar
+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+
| https://osv.dev/CVE-2023-42363 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-empty.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42364 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-empty.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42365 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-empty.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42366 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-empty.tar:/lib/apk/db/installed |
+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+
Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
4 vulnerabilities have fixes available.

Alpine:v3.19
+----------------------------------------------------------+
| Source:docker:../../internal/image/fixtures/test-node_mo |
| dules-npm-empty.tar:/lib/apk/db/installed |
+---------+-------------------+---------------+------------+
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
+---------+-------------------+---------------+------------+
| busybox | 1.36.1-r15 | Fix Available | 4 |
+---------+-------------------+---------------+------------+

For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.

---

Expand All @@ -2649,17 +2665,31 @@ Scanning image ../../internal/image/fixtures/test-node_modules-npm-empty.tar

[TestRun_OCIImage/scanning_node_modules_using_npm_with_some_packages - 1]
Scanning image ../../internal/image/fixtures/test-node_modules-npm-full.tar
+-------------------------------------+------+--------------+----------+------------+-------------------------------------------------------------------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+------+--------------+----------+------------+-------------------------------------------------------------------------------------------------------+
| https://osv.dev/CVE-2023-42363 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-full.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42364 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-full.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42365 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-full.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42366 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-full.tar:/lib/apk/db/installed |
| https://osv.dev/GHSA-38f5-ghc2-fcmv | 9.8 | npm | cryo | 0.0.6 | ../../internal/image/fixtures/test-node_modules-npm-full.tar:/usr/app/node_modules/.package-lock.json |
| https://osv.dev/GHSA-vh95-rmgr-6w4m | 9.8 | npm | minimist | 0.0.8 | ../../internal/image/fixtures/test-node_modules-npm-full.tar:/usr/app/node_modules/.package-lock.json |
| https://osv.dev/GHSA-xvch-5gv4-984h | | | | | |
+-------------------------------------+------+--------------+----------+------------+-------------------------------------------------------------------------------------------------------+
Total 3 packages affected by 6 vulnerabilities (2 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
5 vulnerabilities have fixes available.

npm
+--------------------------------------------------------------+
| Source:docker:../../internal/image/fixtures/test-node_module |
| s-npm-full.tar:/usr/app/node_modules/.package-lock.json |
+----------+-------------------+------------------+------------+
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
+----------+-------------------+------------------+------------+
| cryo | 0.0.6 | No fix available | 1 |
| minimist | 0.0.8 | Fix Available | 1 |
+----------+-------------------+------------------+------------+
Alpine:v3.19
+----------------------------------------------------------+
| Source:docker:../../internal/image/fixtures/test-node_mo |
| dules-npm-full.tar:/lib/apk/db/installed |
+---------+-------------------+---------------+------------+
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
+---------+-------------------+---------------+------------+
| busybox | 1.36.1-r15 | Fix Available | 4 |
+---------+-------------------+---------------+------------+

For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.

---

Expand All @@ -2669,14 +2699,21 @@ Scanning image ../../internal/image/fixtures/test-node_modules-npm-full.tar

[TestRun_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 1]
Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar
+--------------------------------+------+--------------+---------+------------+--------------------------------------------------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+--------------------------------+------+--------------+---------+------------+--------------------------------------------------------------------------------------+
| https://osv.dev/CVE-2023-42363 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42364 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42365 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42366 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar:/lib/apk/db/installed |
+--------------------------------+------+--------------+---------+------------+--------------------------------------------------------------------------------------+
Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
4 vulnerabilities have fixes available.

Alpine:v3.19
+----------------------------------------------------------+
| Source:docker:../../internal/image/fixtures/test-node_mo |
| dules-pnpm-empty.tar:/lib/apk/db/installed |
+---------+-------------------+---------------+------------+
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
+---------+-------------------+---------------+------------+
| busybox | 1.36.1-r15 | Fix Available | 4 |
+---------+-------------------+---------------+------------+

For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.

---

Expand All @@ -2686,14 +2723,21 @@ Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar

[TestRun_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 1]
Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-full.tar
+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+
| https://osv.dev/CVE-2023-42363 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-full.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42364 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-full.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42365 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-full.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42366 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-full.tar:/lib/apk/db/installed |
+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+
Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
4 vulnerabilities have fixes available.

Alpine:v3.19
+----------------------------------------------------------+
| Source:docker:../../internal/image/fixtures/test-node_mo |
| dules-pnpm-full.tar:/lib/apk/db/installed |
+---------+-------------------+---------------+------------+
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
+---------+-------------------+---------------+------------+
| busybox | 1.36.1-r15 | Fix Available | 4 |
+---------+-------------------+---------------+------------+

For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.

---

Expand All @@ -2703,14 +2747,21 @@ Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-full.tar

[TestRun_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 1]
Scanning image ../../internal/image/fixtures/test-node_modules-yarn-empty.tar
+--------------------------------+------+--------------+---------+------------+--------------------------------------------------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+--------------------------------+------+--------------+---------+------------+--------------------------------------------------------------------------------------+
| https://osv.dev/CVE-2023-42363 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-empty.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42364 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-empty.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42365 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-empty.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42366 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-empty.tar:/lib/apk/db/installed |
+--------------------------------+------+--------------+---------+------------+--------------------------------------------------------------------------------------+
Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
4 vulnerabilities have fixes available.

Alpine:v3.19
+----------------------------------------------------------+
| Source:docker:../../internal/image/fixtures/test-node_mo |
| dules-yarn-empty.tar:/lib/apk/db/installed |
+---------+-------------------+---------------+------------+
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
+---------+-------------------+---------------+------------+
| busybox | 1.36.1-r15 | Fix Available | 4 |
+---------+-------------------+---------------+------------+

For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.

---

Expand All @@ -2720,14 +2771,21 @@ Scanning image ../../internal/image/fixtures/test-node_modules-yarn-empty.tar

[TestRun_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 1]
Scanning image ../../internal/image/fixtures/test-node_modules-yarn-full.tar
+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+
| https://osv.dev/CVE-2023-42363 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-full.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42364 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-full.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42365 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-full.tar:/lib/apk/db/installed |
| https://osv.dev/CVE-2023-42366 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-full.tar:/lib/apk/db/installed |
+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+
Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems.
4 vulnerabilities have fixes available.

Alpine:v3.19
+----------------------------------------------------------+
| Source:docker:../../internal/image/fixtures/test-node_mo |
| dules-yarn-full.tar:/lib/apk/db/installed |
+---------+-------------------+---------------+------------+
| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT |
+---------+-------------------+---------------+------------+
| busybox | 1.36.1-r15 | Fix Available | 4 |
+---------+-------------------+---------------+------------+

For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`.
You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`.

---

Expand Down
Loading

0 comments on commit 7fc8567

Please sign in to comment.