The summary by severity is confusing #1312
Labels
bug
Something isn't working
Comments
|
I also agree to this post. @luhring You can check all the vulnerabilities with the |
|
Indeed. Perhaps it would get us "back on track" , to more closely mimic something like what Prismacloud is doing. |
jneate
added a commit
to jneate/grype
that referenced
this issue
Jun 1, 2023
Signed-off-by: James Neate <[email protected]>
|
Thanks @kzantow!! 🤘 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Back in August, someone opened an issue asking Grype to show a summary of vulnerability matches by severity: #877. This was a very logical idea, it's a great way to get an overall sense of a scan result.
The implementation ended up leveraging Grype's internal eventing system to "live update" the severity counts, but I think some tradeoffs were made that resulted in a user experience that raises more questions than answers.
It's now not uncommon to see output from Grype like this:
Since this UX change, I've personally been asked by confused users, "what is this trying to tell me?" or "what is this hiding?" at least once a week.
What you expected to happen:
If Grype is deciding conclusively that a vulnerability does not match a package, it should never imply to the user that they might need to worry about that match.
This means two things:
I mention the second point because it could be tempting to lean further into the eventing system, and have the severity counts decrement during Grype's filtering stage. I would caution against going this route — because that will raise even more questions about what Grype is doing (and possibly hiding). Users want this summary because they want to get a high level impression at a glance, not to dive into the inner workings of Grype's implementation.
My overall advice is to keep this simple, and that will go a long way for Grype's users.
The text was updated successfully, but these errors were encountered: