Skip to content

Commit

Permalink
Add option to include severity in table output (#409)
Browse files Browse the repository at this point in the history
Add an optional `--include-severity` flag to include a severity column
when using table or markdown output, when severity is present in the OSV
schema.

---------

Co-authored-by: Hayley Denbraver <[email protected]>
  • Loading branch information
giovanni-bozzano and Hayley Denbraver authored Jun 23, 2023
1 parent e70f192 commit 24be1d4
Show file tree
Hide file tree
Showing 5 changed files with 67 additions and 31 deletions.
58 changes: 29 additions & 29 deletions cmd/osv-scanner/main_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -144,18 +144,18 @@ func TestRun(t *testing.T) {
wantStdout: `
Scanning dir ./fixtures/sbom-insecure/postgres-stretch.cdx.xml
Scanned %%/fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX SBOM and found 136 packages
+-------------------------------------+-----------+---------+------------------------------------+-------------------------------------------------+
| OSV URL (ID IN BOLD) | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+-----------+---------+------------------------------------+-------------------------------------------------+
| https://osv.dev/GHSA-v95c-p5hm-xq8f | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GO-2022-0274 | | | | |
| https://osv.dev/GHSA-f3fp-gc8g-vw66 | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-g2j6-57v7-gm8c | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-m8cg-xc2p-r3fc | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-vpvm-3wq2-2wvm | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | Go | sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GO-2022-0493 | | | | |
+-------------------------------------+-----------+---------+------------------------------------+-------------------------------------------------+
+-------------------------------------+------+-----------+---------+------------------------------------+-------------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+------+-----------+---------+------------------------------------+-------------------------------------------------+
| https://osv.dev/GHSA-v95c-p5hm-xq8f | 6 | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GO-2022-0274 | | | | | |
| https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9 | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1 | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-m8cg-xc2p-r3fc | 2.5 | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7 | Go | runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GO-2022-0493 | | | | | |
+-------------------------------------+------+-----------+---------+------------------------------------+-------------------------------------------------+
`,
wantStderr: "",
},
Expand Down Expand Up @@ -379,11 +379,11 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
Scanned %%/fixtures/locks-insecure/my-package-lock.json file as a package-lock.json and found 1 packages
Scanning dir ./fixtures/locks-insecure
Scanned %%/fixtures/locks-insecure/composer.lock file and found 0 packages
+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
| OSV URL (ID IN BOLD) | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
| https://osv.dev/GHSA-whgm-jr23-g3j9 | npm | ansi-html | 0.0.1 | fixtures/locks-insecure/my-package-lock.json |
+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | fixtures/locks-insecure/my-package-lock.json |
+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
`,
wantStderr: "",
},
Expand All @@ -402,12 +402,12 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
Scanned %%/fixtures/locks-insecure/my-yarn.lock file as a yarn.lock and found 1 packages
Scanning dir ./fixtures/locks-insecure
Scanned %%/fixtures/locks-insecure/composer.lock file and found 0 packages
+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
| OSV URL (ID IN BOLD) | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
| https://osv.dev/GHSA-whgm-jr23-g3j9 | npm | ansi-html | 0.0.1 | fixtures/locks-insecure/my-package-lock.json |
| https://osv.dev/GHSA-whgm-jr23-g3j9 | npm | ansi-html | 0.0.1 | fixtures/locks-insecure/my-yarn.lock |
+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | fixtures/locks-insecure/my-package-lock.json |
| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | fixtures/locks-insecure/my-yarn.lock |
+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
`,
wantStderr: "",
},
Expand All @@ -425,12 +425,12 @@ func TestRun_LockfileWithExplicitParseAs(t *testing.T) {
Scanned %%/fixtures/locks-insecure/my-package-lock.json file as a package-lock.json and found 1 packages
Scanning dir ./fixtures/locks-insecure
Scanned %%/fixtures/locks-insecure/composer.lock file and found 0 packages
+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
| OSV URL (ID IN BOLD) | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
| https://osv.dev/GHSA-whgm-jr23-g3j9 | npm | ansi-html | 0.0.1 | fixtures/locks-insecure/my-package-lock.json |
| https://osv.dev/GHSA-whgm-jr23-g3j9 | npm | ansi-html | 0.0.1 | fixtures/locks-insecure/my-yarn.lock |
+-------------------------------------+-----------+-----------+---------+----------------------------------------------+
+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | fixtures/locks-insecure/my-package-lock.json |
| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | fixtures/locks-insecure/my-yarn.lock |
+-------------------------------------+------+-----------+-----------+---------+----------------------------------------------+
`,
wantStderr: "",
},
Expand Down
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ require (
github.com/CycloneDX/cyclonedx-go v0.7.1
github.com/go-git/go-billy/v5 v5.4.1
github.com/go-git/go-git/v5 v5.7.0
github.com/goark/go-cvss v1.6.6
github.com/google/go-cmp v0.5.9
github.com/jedib0t/go-pretty/v6 v6.4.6
github.com/kr/pretty v0.3.1
Expand All @@ -31,6 +32,7 @@ require (
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
github.com/goark/errs v1.1.0 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/imdario/mergo v0.3.15 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
Expand Down
4 changes: 4 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ github.com/go-git/go-billy/v5 v5.4.1/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw4
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f h1:Pz0DHeFij3XFhoBRGUDPzSJ+w2UcK5/0JvF8DRI58r8=
github.com/go-git/go-git/v5 v5.7.0 h1:t9AudWVLmqzlo+4bqdf7GY+46SUuRsx59SboFxkq2aE=
github.com/go-git/go-git/v5 v5.7.0/go.mod h1:coJHKEOk5kUClpsNlXrUvPrDxY3w3gjHvhcZd8Fodw8=
github.com/goark/errs v1.1.0 h1:FKnyw4LVyRADIjM8Nj0Up6r0/y5cfADvZAd1E+tthXE=
github.com/goark/errs v1.1.0/go.mod h1:TtaPEoadm2mzqzfXdkkfpN2xuniCFm2q4JH+c1qzaqw=
github.com/goark/go-cvss v1.6.6 h1:WJFuIWqmAw1Ilb9USv0vuX+nYzOWJp8lIujseJ/y3sU=
github.com/goark/go-cvss v1.6.6/go.mod h1:H3qbfUSUlV7XtA3EwWNunvXz6OySwWHOuO+R6ZPMQPI=
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
Expand Down
2 changes: 1 addition & 1 deletion internal/output/markdowntable.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import (
func PrintMarkdownTableResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) {
outputTable := table.NewWriter()
outputTable.SetOutputMirror(outputWriter)
outputTable.AppendHeader(table.Row{"OSV URL", "Ecosystem", "Package", "Version", "Source"})
outputTable.AppendHeader(table.Row{"OSV URL", "CVSS", "Ecosystem", "Package", "Version", "Source"})

outputTable = tableBuilder(outputTable, vulnResult, false)

Expand Down
32 changes: 31 additions & 1 deletion internal/output/table.go
Original file line number Diff line number Diff line change
@@ -1,11 +1,15 @@
package output

import (
"fmt"
"io"
"os"
"path/filepath"
"strings"

v2_metric "github.com/goark/go-cvss/v2/metric"
v3_metric "github.com/goark/go-cvss/v3/metric"

"github.com/google/osv-scanner/pkg/models"
"github.com/google/osv-scanner/pkg/osv"

Expand All @@ -18,7 +22,7 @@ import (
func PrintTableResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) {
outputTable := table.NewWriter()
outputTable.SetOutputMirror(outputWriter)
outputTable.AppendHeader(table.Row{"OSV URL (ID In Bold)", "Ecosystem", "Package", "Version", "Source"})
outputTable.AppendHeader(table.Row{"OSV URL", "CVSS", "Ecosystem", "Package", "Version", "Source"})
width, _, err := term.GetSize(int(os.Stdout.Fd()))
isTerminal := false
if err == nil { // If output is a terminal, set max length to width and add styling
Expand Down Expand Up @@ -100,6 +104,32 @@ func tableBuilderInner(vulnResult *models.VulnerabilityResults, addStyling bool,

outputRow = append(outputRow, strings.Join(links, "\n"))

var outputSeverities []string
for _, vulnID := range group.IDs {
var severities []models.Severity
for _, vuln := range pkg.Vulnerabilities {
if vuln.ID == vulnID {
severities = vuln.Severity
}
}
for _, severity := range severities {
var outputSeverity string
switch severity.Type {
case models.SeverityCVSSV2:
numericSeverity, _ := v2_metric.NewBase().Decode(severity.Score)
outputSeverity = fmt.Sprintf("%v", numericSeverity.Score())
case models.SeverityCVSSV3:
numericSeverity, _ := v3_metric.NewBase().Decode(severity.Score)
outputSeverity = fmt.Sprintf("%v", numericSeverity.Score())
default:
outputSeverity = severity.Score
}

outputSeverities = append(outputSeverities, outputSeverity)
}
}
outputRow = append(outputRow, strings.Join(outputSeverities, ",\n"))

if pkg.Package.Ecosystem == "GIT" {
outputRow = append(outputRow, "GIT", pkg.Package.Version, pkg.Package.Version)
shouldMerge = true
Expand Down

0 comments on commit 24be1d4

Please sign in to comment.