Add by-cve option (#229)

* Add by-cve option to action options Signed-off-by: too-gee <116376+too-gee@users.noreply.github.com> * chore: update audit to use npm-better-audit * chore: modify workflow to use new audit script Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> --------- Signed-off-by: Keith Zantow <kzantow@gmail.com> Signed-off-by: too-gee <116376+too-gee@users.noreply.github.com> Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> Co-authored-by: Keith Zantow <kzantow@gmail.com> Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
anchore · Jul 6, 2023 · 355bbe9 · 355bbe9
1 parent 487706f
commit 355bbe9
Show file tree

Hide file tree

Showing 10 changed files with 1,285 additions and 1,017 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,7 +8,7 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - run: npm ci
-      - run: npm audit --production
+      - run: npm run audit
       - run: npm run build
       - run: git status --porcelain
       - run: git diff
@@ -36,5 +36,5 @@ jobs:
             docker buildx imagetools inspect localhost:5000/match-coverage/$distro:latest
           done
       - run: npm ci
-      - run: npm audit --production
+      - run: npm run audit
       - run: npm test
diff --git a/.nsprc b/.nsprc
@@ -0,0 +1,6 @@
+{
+  "1092310": {
+    "active": true,
+    "notes": "Ignored since we don't use the vulnerable regex method"
+  }
+}
diff --git a/README.md b/README.md
@@ -130,6 +130,7 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
 | `severity-cutoff`   | Optionally specify the minimum vulnerability severity to trigger a failure. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium". | `medium`      |
 | `only-fixed`        | Specify whether to only report vulnerabilities that have a fix available.                                                                                                                                                                                        | `false`       |
 | `add-cpes-if-none`  | Specify whether to autogenerate missing CPEs.                                                                                                                                                                                                                    | `false`       |
+| `by-cve`            | Specify whether to orient results by CVE rather than GHSA.                                                                                                                                                                                                       | `false`       |
 
 ### Action Outputs
 

diff --git a/action.yml b/action.yml
@@ -33,6 +33,10 @@ inputs:
     description: "Specify whether to autogenerate missing CPEs.  Default is false."
     required: false
     default: "false"
+  by-cve:
+    description: "Specify whether to orient results by CVE rather than GHSA.  Default is false."
+    required: false
+    default: "false"
 outputs:
   sarif:
     description: "Path to a SARIF report file for the image"

diff --git a/dist/index.js b/dist/index.js
@@ -105,13 +105,15 @@ async function run() {
     const severityCutoff = core.getInput("severity-cutoff") || "medium";
     const onlyFixed = core.getInput("only-fixed") || "false";
     const addCpesIfNone = core.getInput("add-cpes-if-none") || "false";
+    const byCve = core.getInput("by-cve") || "false";
     const out = await runScan({
       source,
       failBuild,
       severityCutoff,
       onlyFixed,
       outputFormat,
       addCpesIfNone,
+      byCve,
     });
     Object.keys(out).map((key) => {
       core.setOutput(key, out[key]);
@@ -121,7 +123,15 @@ async function run() {
   }
 }
 
-async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFormat, addCpesIfNone }) {
+async function runScan({
+  source,
+  failBuild,
+  severityCutoff,
+  onlyFixed,
+  outputFormat,
+  addCpesIfNone,
+  byCve,
+}) {
   const out = {};
 
   const env = {
@@ -153,6 +163,7 @@ async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFor
   failBuild = failBuild.toLowerCase() === "true";
   onlyFixed = onlyFixed.toLowerCase() === "true";
   addCpesIfNone = addCpesIfNone.toLowerCase() === "true";
+  byCve = byCve.toLowerCase() === "true";
 
   cmdArgs.push("-o", outputFormat);
 
@@ -187,6 +198,7 @@ async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFor
   core.debug("Severity Cutoff: " + severityCutoff);
   core.debug("Only Fixed: " + onlyFixed);
   core.debug("Add Missing CPEs: " + addCpesIfNone);
+  core.debug("Orient by CVE: " + byCve);
   core.debug("Output Format: " + outputFormat);
 
   core.debug("Creating options for GRYPE analyzer");
@@ -204,6 +216,9 @@ async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFor
   if (addCpesIfNone === true) {
     cmdArgs.push("--add-cpes-if-none");
   }
+  if (byCve === true) {
+    cmdArgs.push("--by-cve");
+  }
   cmdArgs.push(source);
 
   // This /dev/null writable stream is required so the entire Grype output

diff --git a/index.js b/index.js
@@ -91,13 +91,15 @@ async function run() {
     const severityCutoff = core.getInput("severity-cutoff") || "medium";
     const onlyFixed = core.getInput("only-fixed") || "false";
     const addCpesIfNone = core.getInput("add-cpes-if-none") || "false";
+    const byCve = core.getInput("by-cve") || "false";
     const out = await runScan({
       source,
       failBuild,
       severityCutoff,
       onlyFixed,
       outputFormat,
       addCpesIfNone,
+      byCve,
     });
     Object.keys(out).map((key) => {
       core.setOutput(key, out[key]);
@@ -107,7 +109,15 @@ async function run() {
   }
 }
 
-async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFormat, addCpesIfNone }) {
+async function runScan({
+  source,
+  failBuild,
+  severityCutoff,
+  onlyFixed,
+  outputFormat,
+  addCpesIfNone,
+  byCve,
+}) {
   const out = {};
 
   const env = {
@@ -139,6 +149,7 @@ async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFor
   failBuild = failBuild.toLowerCase() === "true";
   onlyFixed = onlyFixed.toLowerCase() === "true";
   addCpesIfNone = addCpesIfNone.toLowerCase() === "true";
+  byCve = byCve.toLowerCase() === "true";
 
   cmdArgs.push("-o", outputFormat);
 
@@ -173,6 +184,7 @@ async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFor
   core.debug("Severity Cutoff: " + severityCutoff);
   core.debug("Only Fixed: " + onlyFixed);
   core.debug("Add Missing CPEs: " + addCpesIfNone);
+  core.debug("Orient by CVE: " + byCve);
   core.debug("Output Format: " + outputFormat);
 
   core.debug("Creating options for GRYPE analyzer");
@@ -190,6 +202,9 @@ async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFor
   if (addCpesIfNone === true) {
     cmdArgs.push("--add-cpes-if-none");
   }
+  if (byCve === true) {
+    cmdArgs.push("--by-cve");
+  }
   cmdArgs.push(source);
 
   // This /dev/null writable stream is required so the entire Grype output