Skip to content

Fix cache severity bug, AI exit code, HTML crash, and score weighting gaps (2026.7.2)#128

Merged
advaitpatel merged 2 commits into
mainfrom
fix/scan-cache-severity-and-scoring-gaps
Jul 2, 2026
Merged

Fix cache severity bug, AI exit code, HTML crash, and score weighting gaps (2026.7.2)#128
advaitpatel merged 2 commits into
mainfrom
fix/scan-cache-severity-and-scoring-gaps

Conversation

@advaitpatel

Copy link
Copy Markdown
Collaborator

Summary

Six fixes found during manual CLI verification of the Phase 0-3 feature set, bundled as patch release 2026.7.2:

  • ScanResultsCache keyed results by image name only, so scanning an image at a narrow --severity and then re-scanning at a wider severity silently served the stale narrower cache, dropping real HIGH/MEDIUM findings from the report. The cache key now includes the normalized severity list.
  • AI analysis failures (bad provider/API key, model error) printed an error but still exited 0, contradicting the documented exit-code contract. AI failures now exit 3, same as scan failures.
  • Trivy can return "Title": null for a finding; the HTML report writer called len() on it unconditionally and crashed generation for the whole report. Vulnerability ID, package name, installed version, and title are now null-safe in the HTML report.
  • --compose --scan-only printed an unrelated "No image provided ... Running Dockerfile analysis only" message; now scoped to non-compose runs.
  • When every per-service image scan in a compose file failed, the score calculator excluded the vulnerabilities axis from the weighted average even though compose static-misconfiguration findings existed — a compose file with multiple CRITICAL findings could score "GOOD". The vulnerabilities axis now always counts when findings exist.
  • A Dockerfile with hardcoded credentials and other severe misconfigurations could still land in the mid-40s ("POOR" but not alarming) due to the blended score diluting the credential penalty. Overall score is now capped at 20/100 when a credential-looking ENV var is detected.

Version bumped to 2026.7.2 in setup.py; docs/CHANGELOG.md updated with a dated [2026.7.2] section.

Test plan

  • pytest tests/ — 157 passed
  • Reproduced and verified the cache/severity fix: scan itombot:1.0.5 at --severity CRITICAL, then --severity CRITICAL,HIGH,MEDIUM — second run no longer reuses the narrow cache and reports the full finding count
  • Verified AI failure with no API key exits 3 (was 0)
  • Verified HTML report generates without crashing on a python:3.9 scan containing a null-Title finding
  • Verified --compose --scan-only no longer prints the Dockerfile message
  • Verified compose scoring: insecure compose fixture with failed per-service image scans now scores 53/FAIR (was 80/GOOD)
  • Verified credential-exposure cap: vulnerable-dockerfile fixture now scores 20/POOR (was 45/POOR); a clean fixture with no credentials is unaffected (100/EXCELLENT)

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/first-interaction 753c925c8d1ac6fede23781875376600628d9b5d 🟢 4.6
Details
CheckScoreReason
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 3Found 1/3 approved changesets -- score normalized to 3
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 1branch protection is not maximal on development and all release branches
SAST🟢 9SAST tool detected but not run on all commits

Scanned Files

  • .github/workflows/welcome.yml

@github-actions github-actions Bot added documentation Improvements or additions to documentation dependencies Pull requests that update a dependency file cli Changes to the CLI entry point core Changes to core scanning logic reports Changes to report generation labels Jul 2, 2026
@github-actions github-actions Bot added the ci Changes to CI/CD workflows label Jul 2, 2026
@advaitpatel advaitpatel merged commit ab50baf into main Jul 2, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci Changes to CI/CD workflows cli Changes to the CLI entry point core Changes to core scanning logic dependencies Pull requests that update a dependency file documentation Improvements or additions to documentation reports Changes to report generation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant