Show vulnerability summary on zero vulns (#60)

* Show vulnerability summary on zero vulns

* Test zero vulns table

* Show vuln table summary on zero vulns

* Show summary markdown table on zero vulns

* rework zero vuln report

* Rename resource to artifact for clarity

* Set workflow version to v1.1.0

* fix typo in version

* minor refactor

---------

Co-authored-by: Michael Long <mlongii@amazon.com>

Author: bluesentinelsec

entrypoint/entrypoint/orchestrator.py

@@ -38,7 +38,7 @@ def execute(args) -> int:
     set_github_actions_output('inspector_scan_results_csv', args.out_scan_csv)
 
     pkg_vuln_markdown = write_pkg_vuln_report_markdown(args, total_vulns, criticals, highs, mediums, lows, others)
-    post_pkg_vuln_github_actions_step_summary(args, total_vulns, pkg_vuln_markdown)
+    post_pkg_vuln_github_actions_step_summary(args, pkg_vuln_markdown)
     set_github_actions_output('inspector_scan_results_markdown', args.out_scan_markdown)
 
     dockerfile.write_dockerfile_report_csv(args.out_scan, args.out_dockerfile_scan_csv)
@@ -60,7 +60,7 @@ def post_dockerfile_step_summary(args, total_vulns):
             with open(args.out_dockerfile_scan_md, "r") as f:
                 dockerfile_markdown = f.read()
         except Exception as e:
-            logging.debug(e) # can be spammy, so set as debug log
+            logging.debug(e)  # can be spammy, so set as debug log
             return
 
         if not dockerfile_markdown:
@@ -379,10 +379,6 @@ def write_pkg_vuln_report_csv(args, criticals, highs, mediums, lows, others):
 
 
 def write_pkg_vuln_report_markdown(args, total_vulns, criticals, highs, mediums, lows, others):
-    if int(total_vulns) == 0:
-        logging.info(f"skipping package vulnerability markdown report because no vulnerabilities were detected")
-        return
-
     with open(args.out_scan, "r") as f:
         inspector_scan = json.load(f)
         vulns = pkg_vuln.vulns_to_obj(inspector_scan)
@@ -422,8 +418,8 @@ def print_vuln_count_summary(args, total_vulns, criticals, highs, mediums, lows,
     print(findings)
 
 
-def post_pkg_vuln_github_actions_step_summary(args, total_vulns, markdown):
-    if args.display_vuln_findings == "enabled" and total_vulns > 0:
+def post_pkg_vuln_github_actions_step_summary(args, markdown):
+    if args.display_vuln_findings == "enabled":
         logging.info("posting Inspector scan findings to GitHub Actions step summary page")
         pkg_vuln.post_github_step_summary(markdown)
 

entrypoint/entrypoint/pkg_vuln.py

@@ -339,16 +339,16 @@ def to_markdown(vulns,
     markdown += f"| Other    | {others}|\n"
     markdown += "\n\n"
 
+    if not vulns:
+        markdown += ":green_circle: Your artifact was scanned with Amazon Inspector and no vulnerabilities were detected."
+        markdown += "\n\n"
+        return markdown
+
     # create vulnerability details table
     markdown += "## Vulnerability Findings\n\n"
-
     markdown += "| ID | Severity | [CVSS](https://www.first.org/cvss/) | Installed Package ([PURL](https://github.com/package-url/purl-spec/tree/master?tab=readme-ov-file#purl)) | Fixed Package | Path | [EPSS](https://www.first.org/epss/) | Exploit Available | Exploit Last Seen | CWEs |\n"
     markdown += "|----------|-------|-------|-------|-------|-------|-------|-------|-------|-------|\n"
 
-    if not vulns:
-        markdown += "\n\n"
-        return markdown
-
     # sort vulns by CVSS score
     vulns = sort_vulns(vulns)
 
@@ -421,16 +421,13 @@ def sort_vulns(vulns):
     return sorted_vulns
 
 
-def post_github_step_summary(markdown="null"):
-    if markdown == "null":
-        return
-
-    job_summary_file = "/tmp/inspector.md"
+def post_github_step_summary(markdown):
+    step_summary_path = "/tmp/inspector.md"
     if os.getenv('GITHUB_ACTIONS'):
-        job_summary_file = os.environ["GITHUB_STEP_SUMMARY"]
+        step_summary_path = os.environ["GITHUB_STEP_SUMMARY"]
 
     try:
-        with open(job_summary_file, "a") as f:
+        with open(step_summary_path, "a") as f:
             f.write(markdown)
     except Exception as e:
         logging.error(e)

entrypoint/tests/test_pkg_vuln.py

@@ -1,4 +1,5 @@
 import json
+import os
 import unittest
 
 from entrypoint import pkg_vuln
@@ -37,6 +38,32 @@ def test_vulns_to_obj(self):
                 vulns = pkg_vuln.vulns_to_obj(inspector_scan)
                 self.assertTrue(vulns != None)
 
+    def test_post_github_step_summary_no_vulns(self):
+
+        markdown_dst_path = "/tmp/inspector.md"
+        cleanup_stale_markdown_report(markdown_dst_path)
+
+        zero_vuln_summary_md = pkg_vuln.to_markdown(vulns=None,
+                                                    artifact_name="test_image:latest",
+                                                    artifact_type="container",
+                                                    artifact_hash="null",
+                                                    build_id="null",
+                                                    criticals="0",
+                                                    highs="0",
+                                                    mediums="0",
+                                                    lows="0",
+                                                    others="0")
+
+        expected_list = ["| Critical | 0|",
+                         "| High     | 0|",
+                         "| Medium   | 0|",
+                         "| Low      | 0|",
+                         "| Other    | 0|",
+                         ]
+        for expected in expected_list:
+            self.assertIn(expected, zero_vuln_summary_md)
+        cleanup_stale_markdown_report(markdown_dst_path)
+
 
 def get_scan_body(test_file):
     # test_file = "tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx.json"
@@ -47,5 +74,12 @@ def get_scan_body(test_file):
     return scan_body
 
 
+def cleanup_stale_markdown_report(path):
+    try:
+        os.remove(path)
+    except:
+        return
+
+
 if __name__ == '__main__':
     unittest.main()