FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts

Maria Carolina Conceição · Maria Carolina Conceição · commit bc532d46d1e1 · 2025-04-15T17:37:22.000+01:00
diff --git a/entrypoint/entrypoint/cli.py b/entrypoint/entrypoint/cli.py
@@ -50,6 +50,8 @@ def init(sys_argv=None) -> argparse.Namespace:
                         help="Specifies one or more files and/or directories that should NOT be inventoried.")
     parser.add_argument("--timeout", type=str, default="600",
                         help="The amount of time in seconds that inspector-sbomgne will run. When this timeout is exceeded, sbomgen will gracefully conclude and present any findings discovered up to that point.")
+    parser.add_argument("--only-show-fixable-vulnerabilities", type=str, default="False",
+                        help="If set, this program will only show vulnerabilities that have a fix available.")
 
     parser.add_argument("--platform", type=str,
                         help="Specifies the OS and CPU arch of the container image you wish to scan. Valid inputs are "
diff --git a/entrypoint/entrypoint/orchestrator.py b/entrypoint/entrypoint/orchestrator.py
@@ -233,7 +233,7 @@ def invoke_inspector_scan(src_sbom, dst_scan):
 
 
 def get_scan_result(args) -> tuple[bool, exporter.InspectorScanResult]:
-    succeeded, criticals, highs, mediums, lows, others = get_vuln_counts(args.out_scan)
+    succeeded, criticals, highs, mediums, lows, others = get_vuln_counts(args.out_scan, args.only_show_fixable_vulnerabilities)
     if succeeded is False:
         return False, None
 
@@ -270,7 +270,7 @@ def set_github_actions_output(key, value):
     return
 
 
-def get_vuln_counts(inspector_scan_path: str):
+def get_vuln_counts(inspector_scan_path: str, only_show_fixable_vulns: bool = False) -> tuple[bool, int, int, int, int, int]:
     # vuln severities
     criticals = 0
     highs = 0
@@ -315,7 +315,10 @@ def get_vuln_counts(inspector_scan_path: str):
             logging.error(f"expected property with 'value' key but none was found in file {inspector_scan_path}")
             continue
 
-        if name == "amazon:inspector:sbom_scanner:critical_vulnerabilities":
+        if only_show_fixable_vulns and "amazon:inspector:sbom_scanner:fixed_version:comp-" not in name:
+            # skip this property
+            continue
+        elif name == "amazon:inspector:sbom_scanner:critical_vulnerabilities":
             criticals = int(value)
         elif name == "amazon:inspector:sbom_scanner:high_vulnerabilities":
             highs = int(value)
