Skip to content

Commit

Permalink
chore: show VEX notice for OSS maintainers in CI environments (#7246)
Browse files Browse the repository at this point in the history
Signed-off-by: knqyf263 <[email protected]>
  • Loading branch information
knqyf263 authored Jul 29, 2024
1 parent 5c37361 commit 805592d
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 3 deletions.
1 change: 1 addition & 0 deletions pkg/report/table/table_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ Total: 1 (MEDIUM: 0, HIGH: 1)
},
}

t.Setenv("TRIVY_DISABLE_VEX_NOTICE", "1")
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
tableWritten := bytes.Buffer{}
Expand Down
34 changes: 31 additions & 3 deletions pkg/report/table/vulnerability.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,14 @@ package table
import (
"bytes"
"fmt"
"os"
"path/filepath"
"slices"
"sort"
"strings"
"sync"

"github.com/fatih/color"
"github.com/samber/lo"
"github.com/xlab/treeprint"

Expand All @@ -18,11 +20,29 @@ import (
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/types"
"github.com/aquasecurity/trivy/pkg/version/doc"
)

var showSuppressedOnce = sync.OnceFunc(func() {
log.Info(`Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.`)
})
const (
vexNotice = `
For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: %s
To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.
`
envDisableNotice = "TRIVY_DISABLE_VEX_NOTICE"
)

var (
showVEXNoticeOnce = &sync.Once{}
showSuppressedOnce = sync.OnceFunc(func() {
log.Info(`Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.`)
})
)

type vulnerabilityRenderer struct {
w *bytes.Buffer
Expand Down Expand Up @@ -73,6 +93,14 @@ func (r *vulnerabilityRenderer) Render() string {
}

func (r *vulnerabilityRenderer) renderDetectedVulnerabilities() {
// Show VEX notice only on CI
showVEXNoticeOnce.Do(func() {
if os.Getenv(envDisableNotice) != "" || os.Getenv("CI") == "" {
return
}
_, _ = color.New(color.FgCyan).Fprintf(r.w, vexNotice, doc.URL("docs/supply-chain/vex/repo", "publishing-vex-documents"))
})

tw := newTableWriter(r.w, r.isTerminal)
r.setHeaders(tw)
r.setVulnerabilityRows(tw, r.result.Vulnerabilities)
Expand Down

0 comments on commit 805592d

Please sign in to comment.