Add filter by package name/version to avoid flood of issues for the s…

…ame package (#23) * Add filter by package name/version to avoid duplicating on the build output
sysdiglabs · May 23, 2022 · 0e483c3 · 0e483c3
1 parent cda2e24
commit 0e483c3
Show file tree

Hide file tree

Showing 9 changed files with 103 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -72,6 +72,13 @@ Possible values:
 - negligible
 - unknown
 
+### `unique-report-by-package`
+
+Only one annotation by package name/version will be displayed in the build output. 
+The last highest (by severity) vulnerability will be displayed by package.
+It increases the readability of the output, avoiding duplicates for the same package.
+Default to false.
+
 
 ### `inline-scan-image`
 

diff --git a/action.yml b/action.yml
@@ -24,6 +24,9 @@ inputs:
   ignore-failed-scan:
     description: Don't fail the execution of this action even if the scan result is FAILED.
     required: false
+  unique-report-by-package:
+    description: Report only once an issue with a specific package and its version. Default to false
+    required: false
   input-type:
     description: |
       If specified, where should we scan the image from. Possible values:

diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/index.js b/index.js
@@ -504,9 +504,16 @@ function getReportAnnotations(evaluationResults, vulnerabilities) {
       title: `${g[actionCol]} ${g[gateCol]}`
     }
   });
-  let severities = {"critcal":0,"high":1, "medium":2, "low":3, "negligible":4,"unknown":5}
+  let severities = {"critical":0,"high":1, "medium":2, "low":3, "negligible":4,"unknown":5}
   let severity =  core.getInput('severity') || "unknown";
-  let vulns = vulnerabilities.filter(v => severities[v.severity.toLowerCase()] <=  severities[severity.toLowerCase()]).map(v => {
+  let uniqueReportByPackage = core.getInput('unique-report-by-package') === 'true' || false;
+  let _vulns = vulnerabilities
+  if(uniqueReportByPackage) {
+    const key = 'package'; // Show only one issue by package, avoiding flood of annotations
+    let _sortedVulns = _vulns.sort((a, b) => severities[b.severity.toLowerCase()] - severities[a.severity.toLowerCase()]);
+    _vulns = [...new Map(_sortedVulns.map(item => [item[key], item])).values()];
+  }
+  let vulns = _vulns.filter(v => severities[v.severity.toLowerCase()] <=  severities[severity.toLowerCase()]).map(v => {
     return {
       path: "Dockerfile",
       start_line: 1,

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "secure-inline-scan-action",
-  "version": "3.3.0",
+  "version": "3.4.0",
   "description": "This actions performs image analysis on locally built container image and posts the result of the analysis to Sysdig Secure.",
   "main": "index.js",
   "scripts": {

diff --git a/tests/fixtures/report.json b/tests/fixtures/report.json
@@ -141,6 +141,37 @@
                 "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3374",
                 "vendor_data": [],
                 "vuln": "CVE-2011-3374"
+            },
+            {
+                "feed": "vulnerabilities",
+                "feed_group": "alpine:3.7",
+                "fix": "1.1.18-r4",
+                "nvd_data": [
+                    {
+                        "cvss_v2": {
+                            "base_score": 7.5,
+                            "exploitability_score": 10,
+                            "impact_score": 6.4
+                        },
+                        "cvss_v3": {
+                            "base_score": 9.8,
+                            "exploitability_score": 3.9,
+                            "impact_score": 5.9
+                        },
+                        "id": "CVE-2019-14698"
+                    }
+                ],
+                "package": "musl-utils-1.1.18-r3",
+                "package_cpe": "None",
+                "package_cpe23": "None",
+                "package_name": "musl-utils",
+                "package_path": "pkgdb",
+                "package_type": "APKG",
+                "package_version": "1.1.18-r3",
+                "severity": "Medium",
+                "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14698",
+                "vendor_data": [],
+                "vuln": "CVE-2019-14698"
             }
         ]
     }

diff --git a/tests/index.test.js b/tests/index.test.js
@@ -421,6 +421,46 @@ describe("process scan results", () => {
         expect(data.name).toBe("Scan results for myimage:mytag");
         expect(data.output.annotations).toContainEqual({ "annotation_level": "warning", "end_line": 1, "message": "CVE-2019-14697 Severity=High Package=musl-1.1.18-r3 Type=APKG Fix=1.1.18-r4 Url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697", "path": "Dockerfile", "start_line": 1, "title": "Vulnerability found: CVE-2019-14697" });
         expect(data.output.annotations).not.toContainEqual({"path": "Dockerfile", "start_line": 1, "end_line": 1, "annotation_level": "warning", "message": "CVE-2011-3374 Severity=Negligible Package=apt-1.0 Type=APKG Fix=null Url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3374", "title": "Vulnerability found: CVE-2011-3374"});
+        expect(data.output.annotations).toContainEqual({"path": "Dockerfile", "start_line": 1, "end_line": 1, "annotation_level": "warning", "message": "CVE-2019-14697 Severity=High Package=musl-utils-1.1.18-r3 Type=APKG Fix=1.1.18-r4 Url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697", "title": "Vulnerability found: CVE-2019-14697"});
+        expect(data.output.annotations).toContainEqual({"path": "Dockerfile", "start_line": 1, "end_line": 1, "annotation_level": "warning", "message": "CVE-2019-14698 Severity=Medium Package=musl-utils-1.1.18-r3 Type=APKG Fix=1.1.18-r4 Url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14698", "title": "Vulnerability found: CVE-2019-14698"});
+    })
+
+    it("generates a check run with unique vulnerability annotations", async () => {
+        let data;
+        github.context = { repo: { repo: "foo-repo", owner: "foo-owner" } };
+
+        core.getInput = jest.fn();
+        core.getInput.mockReturnValueOnce("foo");
+
+
+        github.getOctokit = jest.fn(() => {
+            return {
+                rest: {
+                    checks: {
+                        create: async function (receivedData) {
+                            data = receivedData;
+                        }
+                    }
+                }
+            }
+        });
+
+        let scanResult = {
+            ReturnCode: 0,
+            Output: exampleReport,
+            Error: ""
+        };
+        core.getInput.mockReturnValueOnce("medium")
+        core.getInput.mockReturnValueOnce("true")
+
+        await index.processScanResult(scanResult);
+        expect(github.getOctokit).toBeCalledWith("foo");
+        expect(data).not.toBeUndefined();
+        expect(data.name).toBe("Scan results for myimage:mytag");
+        //Should display the vulnerability with the highest severity
+        expect(data.output.annotations).toContainEqual({"path": "Dockerfile", "start_line": 1, "end_line": 1, "annotation_level": "warning", "message": "CVE-2019-14697 Severity=High Package=musl-utils-1.1.18-r3 Type=APKG Fix=1.1.18-r4 Url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697", "title": "Vulnerability found: CVE-2019-14697"});
+        expect(data.output.annotations).not.toContainEqual({"path": "Dockerfile", "start_line": 1, "end_line": 1, "annotation_level": "warning", "message": "CVE-2019-14698 Severity=Medium Package=musl-utils-1.1.18-r3 Type=APKG Fix=1.1.18-r4 Url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14698", "title": "Vulnerability found: CVE-2019-14698"});
+
     })
 
     it("generates a check run with gate annotations", async () => {