Skip to content

Commit 355bbe9

Browse files
too-geekzantowspiffcs
authored
Add by-cve option (#229)
* Add by-cve option to action options Signed-off-by: too-gee <[email protected]> * chore: update audit to use npm-better-audit * chore: modify workflow to use new audit script Signed-off-by: Christopher Phillips <[email protected]> --------- Signed-off-by: Keith Zantow <[email protected]> Signed-off-by: too-gee <[email protected]> Signed-off-by: Christopher Phillips <[email protected]> Co-authored-by: Keith Zantow <[email protected]> Co-authored-by: Christopher Phillips <[email protected]>
1 parent 487706f commit 355bbe9

File tree

10 files changed

+1285
-1017
lines changed

10 files changed

+1285
-1017
lines changed

.github/workflows/test.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ jobs:
88
steps:
99
- uses: actions/checkout@v3
1010
- run: npm ci
11-
- run: npm audit --production
11+
- run: npm run audit
1212
- run: npm run build
1313
- run: git status --porcelain
1414
- run: git diff
@@ -36,5 +36,5 @@ jobs:
3636
docker buildx imagetools inspect localhost:5000/match-coverage/$distro:latest
3737
done
3838
- run: npm ci
39-
- run: npm audit --production
39+
- run: npm run audit
4040
- run: npm test

.nsprc

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
{
2+
"1092310": {
3+
"active": true,
4+
"notes": "Ignored since we don't use the vulnerable regex method"
5+
}
6+
}

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,7 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
130130
| `severity-cutoff` | Optionally specify the minimum vulnerability severity to trigger a failure. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium". | `medium` |
131131
| `only-fixed` | Specify whether to only report vulnerabilities that have a fix available. | `false` |
132132
| `add-cpes-if-none` | Specify whether to autogenerate missing CPEs. | `false` |
133+
| `by-cve` | Specify whether to orient results by CVE rather than GHSA. | `false` |
133134

134135
### Action Outputs
135136

action.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,10 @@ inputs:
3333
description: "Specify whether to autogenerate missing CPEs. Default is false."
3434
required: false
3535
default: "false"
36+
by-cve:
37+
description: "Specify whether to orient results by CVE rather than GHSA. Default is false."
38+
required: false
39+
default: "false"
3640
outputs:
3741
sarif:
3842
description: "Path to a SARIF report file for the image"

dist/index.js

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -105,13 +105,15 @@ async function run() {
105105
const severityCutoff = core.getInput("severity-cutoff") || "medium";
106106
const onlyFixed = core.getInput("only-fixed") || "false";
107107
const addCpesIfNone = core.getInput("add-cpes-if-none") || "false";
108+
const byCve = core.getInput("by-cve") || "false";
108109
const out = await runScan({
109110
source,
110111
failBuild,
111112
severityCutoff,
112113
onlyFixed,
113114
outputFormat,
114115
addCpesIfNone,
116+
byCve,
115117
});
116118
Object.keys(out).map((key) => {
117119
core.setOutput(key, out[key]);
@@ -121,7 +123,15 @@ async function run() {
121123
}
122124
}
123125

124-
async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFormat, addCpesIfNone }) {
126+
async function runScan({
127+
source,
128+
failBuild,
129+
severityCutoff,
130+
onlyFixed,
131+
outputFormat,
132+
addCpesIfNone,
133+
byCve,
134+
}) {
125135
const out = {};
126136

127137
const env = {
@@ -153,6 +163,7 @@ async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFor
153163
failBuild = failBuild.toLowerCase() === "true";
154164
onlyFixed = onlyFixed.toLowerCase() === "true";
155165
addCpesIfNone = addCpesIfNone.toLowerCase() === "true";
166+
byCve = byCve.toLowerCase() === "true";
156167

157168
cmdArgs.push("-o", outputFormat);
158169

@@ -187,6 +198,7 @@ async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFor
187198
core.debug("Severity Cutoff: " + severityCutoff);
188199
core.debug("Only Fixed: " + onlyFixed);
189200
core.debug("Add Missing CPEs: " + addCpesIfNone);
201+
core.debug("Orient by CVE: " + byCve);
190202
core.debug("Output Format: " + outputFormat);
191203

192204
core.debug("Creating options for GRYPE analyzer");
@@ -204,6 +216,9 @@ async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFor
204216
if (addCpesIfNone === true) {
205217
cmdArgs.push("--add-cpes-if-none");
206218
}
219+
if (byCve === true) {
220+
cmdArgs.push("--by-cve");
221+
}
207222
cmdArgs.push(source);
208223

209224
// This /dev/null writable stream is required so the entire Grype output

index.js

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,13 +91,15 @@ async function run() {
9191
const severityCutoff = core.getInput("severity-cutoff") || "medium";
9292
const onlyFixed = core.getInput("only-fixed") || "false";
9393
const addCpesIfNone = core.getInput("add-cpes-if-none") || "false";
94+
const byCve = core.getInput("by-cve") || "false";
9495
const out = await runScan({
9596
source,
9697
failBuild,
9798
severityCutoff,
9899
onlyFixed,
99100
outputFormat,
100101
addCpesIfNone,
102+
byCve,
101103
});
102104
Object.keys(out).map((key) => {
103105
core.setOutput(key, out[key]);
@@ -107,7 +109,15 @@ async function run() {
107109
}
108110
}
109111

110-
async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFormat, addCpesIfNone }) {
112+
async function runScan({
113+
source,
114+
failBuild,
115+
severityCutoff,
116+
onlyFixed,
117+
outputFormat,
118+
addCpesIfNone,
119+
byCve,
120+
}) {
111121
const out = {};
112122

113123
const env = {
@@ -139,6 +149,7 @@ async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFor
139149
failBuild = failBuild.toLowerCase() === "true";
140150
onlyFixed = onlyFixed.toLowerCase() === "true";
141151
addCpesIfNone = addCpesIfNone.toLowerCase() === "true";
152+
byCve = byCve.toLowerCase() === "true";
142153

143154
cmdArgs.push("-o", outputFormat);
144155

@@ -173,6 +184,7 @@ async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFor
173184
core.debug("Severity Cutoff: " + severityCutoff);
174185
core.debug("Only Fixed: " + onlyFixed);
175186
core.debug("Add Missing CPEs: " + addCpesIfNone);
187+
core.debug("Orient by CVE: " + byCve);
176188
core.debug("Output Format: " + outputFormat);
177189

178190
core.debug("Creating options for GRYPE analyzer");
@@ -190,6 +202,9 @@ async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFor
190202
if (addCpesIfNone === true) {
191203
cmdArgs.push("--add-cpes-if-none");
192204
}
205+
if (byCve === true) {
206+
cmdArgs.push("--by-cve");
207+
}
193208
cmdArgs.push(source);
194209

195210
// This /dev/null writable stream is required so the entire Grype output

0 commit comments

Comments
 (0)