Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix: update ignored vulnerability count in tui #1837

Merged
merged 2 commits into from
May 1, 2024
Merged

fix: update ignored vulnerability count in tui #1837

merged 2 commits into from
May 1, 2024

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented Apr 30, 2024
edited
Loading

The number of ignored matches was not being updated in the TUI, causing confusing numbers to be displayed. For example, scanning the golang:latest resulted in:

$ grype golang:latest -o json | jq '.matches | length'
 ✔ Scanned for vulnerabilities     [454 vulnerability matches]  
   ├── by severity: 1 critical, 35 high, 82 medium, 8 low, 231 negligible (97 unknown)
   └── by status:   0 fixed, 454 not-fixed, 0 ignored 
297

With this fix, it now reads:

$ grype golang:latest -o json | jq '.matches | length'
 ✔ Scanned for vulnerabilities     [297 vulnerability matches]  
   ├── by severity: 1 critical, 35 high, 82 medium, 8 low, 231 negligible (97 unknown)
   └── by status:   0 fixed, 454 not-fixed, 157 ignored 
297

Additionally, when using --by-cve, ignored matches were not being reported properly due to applying the ignore rules twice. This PR also corrects that issue, which results in correct counts being reported in the TUI when using that option and correct ignored matches being reported in the JSON. Before:

$ grype golang:latest -o json --by-cve | jq '.matches | length'
 ✔ Scanned for vulnerabilities     [454 vulnerability matches]  
   ├── by severity: 1 critical, 35 high, 82 medium, 8 low, 231 negligible (97 unknown)
   └── by status:   0 fixed, 454 not-fixed, 0 ignored 
297

$ grype golang:latest -o json --by-cve | jq '.ignoredMatches | length'
0

After:

grype golang:latest -o json --by-cve | jq '.matches | length'
 ✔ Scanned for vulnerabilities     [297 vulnerability matches]  
   ├── by severity: 1 critical, 35 high, 82 medium, 8 low, 231 negligible (97 unknown)
   └── by status:   0 fixed, 454 not-fixed, 157 ignored 
297

grype golang:latest -o json --by-cve | jq '.ignoredMatches | length'
157

TODO:

  • update tests

@kzantow
fix: update ignored vulnerability count in tui
a22a0b0 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow marked this pull request as draft April 30, 2024 19:13
@kzantow
fix: correct ignored matches when using --by-cve
389c4f8 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow marked this pull request as ready for review May 1, 2024 15:16
kzantow
kzantow commented May 1, 2024
View reviewed changes
grype/vulnerability_matcher_test.go
Match: match.Match{
Vulnerability: vulnerability.Vulnerability{
Constraint: version.MustGetConstraint("< 3.7.6", version.UnknownFormat),
ID: "CVE-2014-fake-3",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When using --by-cve, the ignored matches are also oriented by CVE.

@kzantow kzantow merged commit bd16101 into main May 1, 2024
10 checks passed
@kzantow kzantow deleted the fix/ignored-match-count-tui branch May 1, 2024 15:46
@kzantow kzantow added the bug Something isn't working label May 1, 2024
@luhring
Copy link
Contributor

luhring commented May 1, 2024

Thanks for this! 🎉

@BrewTestBot BrewTestBot mentioned this pull request May 1, 2024
Merged
@tgerla tgerla mentioned this pull request May 2, 2024
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kzantow @luhring @wagoodman