Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: show VEX notice for OSS maintainers in CI environments #7246

Merged
merged 2 commits into from
Jul 29, 2024
Merged

chore: show VEX notice for OSS maintainers in CI environments #7246

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
031d6a8
chore: show VEX notice on CI
knqyf263 Jul 29, 2024
a41fbca
test: suppress notice
knqyf263 Jul 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 31 additions & 3 deletions pkg/report/table/vulnerability.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,14 @@ package table
import (
"bytes"
"fmt"
"os"
"path/filepath"
"slices"
"sort"
"strings"
"sync"

"github.com/fatih/color"
"github.com/samber/lo"
"github.com/xlab/treeprint"

Expand All @@ -18,11 +20,29 @@ import (
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/types"
"github.com/aquasecurity/trivy/pkg/version/doc"
)

var showSuppressedOnce = sync.OnceFunc(func() {
log.Info(`Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.`)
})
const (
vexNotice = `
For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: %s

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.

`
envDisableNotice = "TRIVY_DISABLE_VEX_NOTICE"
)

var (
showVEXNoticeOnce = &sync.Once{}
showSuppressedOnce = sync.OnceFunc(func() {
log.Info(`Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.`)
})
)

type vulnerabilityRenderer struct {
w *bytes.Buffer
Expand Down Expand Up @@ -73,6 +93,14 @@ func (r *vulnerabilityRenderer) Render() string {
}

func (r *vulnerabilityRenderer) renderDetectedVulnerabilities() {
// Show VEX notice only on CI
showVEXNoticeOnce.Do(func() {
if os.Getenv(envDisableNotice) != "" || os.Getenv("CI") == "" {
return
}
_, _ = color.New(color.FgCyan).Fprintf(r.w, vexNotice, doc.URL("docs/supply-chain/vex/repo", "publishing-vex-documents"))
})

tw := newTableWriter(r.w, r.isTerminal)
r.setHeaders(tw)
r.setVulnerabilityRows(tw, r.result.Vulnerabilities)
Expand Down
Loading