Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix grype output to show CVE version number and fix #2580

Closed
1 task
coilysiren opened this issue Oct 25, 2024 · 2 comments
Closed
1 task

Fix grype output to show CVE version number and fix #2580

coilysiren opened this issue Oct 25, 2024 · 2 comments
Assignees
@acouch

Comments

@coilysiren
Copy link
Collaborator

coilysiren commented Oct 25, 2024
edited by acouch
Loading

Summary

Followup to #2542

I was able to get this working locally with: grype -o template -t ./csv.tmpl --fail-on medium analytics-grants-analytics --only-fixed using the following template:

"Package","Version Installed","Vulnerability ID","Severity","Locations"
{{- range .Matches}}
"{{.Artifact.Name}}","{{.Artifact.Version}}","{{.Vulnerability.ID}}","{{.Vulnerability.Severity}}","{{ (index .Artifact.Locations 0).RealPath }}"
{{- end}}

which outputs:

"Package","Version Installed","Vulnerability ID","Severity","Locations"
"stdlib","go1.22.6","CVE-2024-34158","High","/usr/bin/gh"
"stdlib","go1.22.6","CVE-2024-34156","High","/usr/bin/gh"
"stdlib","go1.22.6","CVE-2024-34155","Unknown","/usr/bin/gh"

However, the github scan doesn't support the template output: anchore/scan-action#397

We could either:

  1. wait and try and contribute a fix up-steam to the linked issue
  2. run grype in GA without the anchore scan
  3. parse the results.json file differently. The challenge is that the artifact with the path is adjacent to the vulernabilty with the ID and fix:
    Image
  4. could just run the same scan twice with both outputs

Acceptance criteria

  • CVE and path available in GA
@coilysiren
Copy link
Collaborator Author

could just run the same scan twice with both outputs

@acouch this is exactly what I was thinking about earlier

This was referenced Oct 28, 2024
Merged
Merged
coilysiren added a commit that referenced this issue Oct 28, 2024
@coilysiren
[Issue #2580] Run vulnerability scans twice (#2598)
8233cc7 
## Changes

Runs vulnerability scans twice so we can get both the version fixes and
CVE locations

## Context 

This is a patchwork fix for #2580. I would rather fix this upstream, so
I'm not making this PR as resolving #2580
@acouch acouch self-assigned this Oct 28, 2024
@acouch
Copy link
Collaborator

acouch commented Oct 28, 2024

Closing as the above comment was implemented.

@acouch acouch closed this as completed Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@acouch acouch

Labels
None yet
Projects
Simpler.Grants.gov Product Backlog
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@acouch @coilysiren