grype 0.64.0 doesn't list vulnerabilties if --fail-on fails

[kwelch426]

What happened: Updated grype from 0.59.1 to 0.64.0 in our build pipeline which runs: grype containername -q -f critical --only-fixed.
It used to display a report with the list of vulnerabilities in a table. Now we just see:

1 error occurred:
	* discovered vulnerabilities at or above the severity threshold

What you expected to happen: We expect there to be a table output with the vulnerabilities listed like in previous versions.

NAME                     INSTALLED                     FIXED-IN                      TYPE          VULNERABILITY        SEVERITY
...
zlib1g                   1:1.2.11.dfsg-1               1:1.2.11.dfsg-1+deb10u1       deb           CVE-2018-25032       High        
zlib1g                   1:1.2.11.dfsg-1               1:1.2.11.dfsg-1+deb10u2       deb           CVE-2022-37434       Critical 

How to reproduce it (as minimally and precisely as possible): Grype 0.63.0 works correctly. Download it and run grype containername -q -f critical --only-fixed. Replace containername with a container with known critical vulnerabilities. Then run the same command using grype 0.64.0

Anything else we need to know?:

Environment: N/A

• Output of grype version: 0.64..0
• OS (e.g: cat /etc/os-release or similar): Ubuntu 22.04.01 LTS

[Atharex]

Seeing the same behavior, as well as Grype ignoring the .grype.yaml whitelist of CVEs

Downgrading to Grype v0.63.1 resolves both issues.

It seems there was an API break between v0.63.1 -> v0.64.0 that broke both functionalities

[willmurphyscode]

Hi @kwelch426 and @Atharex, thanks for the bug reports.

For the issue reported here, I've reproduced it on latest grype. Note that it only happens in the failure case:

# list is not printed on failure
❯ grype alpine:3.12.11 -f critical -q --only-fixed --platform linux/amd64
1 error occurred:
	* discovered vulnerabilities at or above the severity threshold
# list is printed if no vulnerability is above threshold:
❯ grype alpine:latest -f critical -q --only-fixed --platform linux/amd64
NAME        INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.1.1-r1   3.1.1-r2  apk   CVE-2023-2975  Unknown
libssl3     3.1.1-r1   3.1.1-r2  apk   CVE-2023-2975  Unknown
# latest version of grype
❯ grype version
Application:          grype
Version:              0.64.1
Syft Version:         v0.85.0
BuildDate:            2023-07-17T20:16:34Z
GitCommit:            brew
GitDescription:       [not provided]
Platform:             darwin/arm64
GoVersion:            go1.20.6
Compiler:             gc
Supported DB Schema:  5

Here's the previous behavior of grype (by cloning grype, checking out the tag v0.63.1 and running:

❯ go run main.go alpine:3.12.11 -f critical -q --only-fixed --platform linux/amd64
NAME        INSTALLED   FIXED-IN    TYPE  VULNERABILITY   SEVERITY
busybox     1.31.1-r21  1.31.1-r22  apk   CVE-2022-28391  High
ssl_client  1.31.1-r21  1.31.1-r22  apk   CVE-2022-28391  High
zlib        1.2.12-r0   1.2.12-r2   apk   CVE-2022-37434  Critical
1 error occurred:
	* discovered vulnerabilities at or above the severity threshold

exit status 1

I'll try to also repro the issue @Atharex reported and probably open a separate issue for it. @Atharex, do you have an example config and image that exhibits the issue you're seeing, that you're comfortable sharing here?

[spiffcs]

Seeing the same behavior, as well as Grype ignoring the .grype.yaml whitelist of CVEs

Downgrading to Grype v0.63.1 resolves both issues.

It seems there was an API break between v0.63.1 -> v0.64.0 that broke both functionalities

@Atharex can you open a separate issue with steps to reproduce the whitelist issue you're seeing? We'll keep this issue alive for the issue of not showing an output on failure.

My attempt was not successful

~/.grype.yaml

default-image-pull-source: "registry"
by-cve: true
ignore:
  - vulnerability: CVE-2019-1010025

Allowed

grype debian:latest | grep CVE-2019-1010025
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                     sha256:3676c78a12ad77e170916695d2f192797ddd3eb653d7a1b1ad4c20ab5471891a
 ✔ Cataloged packages              [88 packages]
 ✔ Scanned for vulnerabilities     [51 vulnerabilities]
   ├── 0 critical, 1 high, 0 medium, 3 low, 47 negligible
   └── 0 fixed

~/.grype.yaml

default-image-pull-source: "registry"
by-cve: true

Found

grype debian:latest | grep CVE-2019-1010025
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                     sha256:3676c78a12ad77e170916695d2f192797ddd3eb653d7a1b1ad4c20ab5471891a
 ✔ Cataloged packages              [88 packages]
 ✔ Scanned for vulnerabilities     [51 vulnerabilities]
   ├── 0 critical, 1 high, 0 medium, 3 low, 47 negligible
   └── 0 fixed
libc-bin          2.36-9                          deb   CVE-2019-1010025  Negligible
libc6             2.36-9                          deb   CVE-2019-1010025  Negligible