-
Notifications
You must be signed in to change notification settings - Fork 529
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the total types of vulnerabilities in Grype output #946
Add the total types of vulnerabilities in Grype output #946
Conversation
Signed-off-by: Maxim Zhiburt <zhiburt@gmail.com>
Hi 👋, I think that showing vulnerabilities from |
Signed-off-by: Maxim Zhiburt <zhiburt@gmail.com>
Would it be possible/desirable, to tack on "Fixed: ##" , at the end. |
Signed-off-by: Maxim Zhiburt <zhiburt@gmail.com>
Done (thanks for comment about the format). |
TODAY:
YOUR PR: [https://github.com//pull/946]
[Critcal: 1, High: 3, Medium: 0, Low: 0, Unkonwn: 0; Fixed: 2] <-- Choice 1) The beautiful work, you have done. |
So shall I make it |
(1) Yes, personally, I prefer this format:
(2) But on the higher level, any "Summary" is good, to me. |
Thanks @zhiburt for the PR! Also huge shoutout to all the feedback already thanks everyone. I kicked off the CI jobs so we can get those running. I have a backlog of things I'm getting through but I'll take a look here when time permits to give a good review. |
* main: Update grype bootstrap tools to latest versions. (anchore#947) chore: add more quality gate images (anchore#950) Add in-depth quality gate checks (anchore#949) Update Syft to v0.58.0 (anchore#941)
Thanks for keeping this in the status lines. Since it doesn't change the output of the table I think this is a great addition. Let me get the tests passing and lint fixed and I'll tag a second reviewer from the team. |
^--^ ^------------^ | | | +-> Summary in present tense. | +-------> Type: chore, docs, feat, fix, refactor, style, or test. [optional body] [optional footer(s)] Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Lint's are fixed - I'll have more time to look at the panic later - if anyone else want's to give it a shot feel free to add a commit here for those tests |
Signed-off-by: Albert Simon <simon.albert75@gmail.com>
Fixed integration tests
CI need an approval |
I'm not a mantainer, so @spiffcs has to approve it and kick the CI |
btw: thanks for your commit with the fix. |
ui/event_handlers.go
Outdated
_, _ = io.WriteString(scanningLine, fmt.Sprintf(statusTitleTemplate+"%s", spin, title, auxInfo)) | ||
|
||
auxInfo2 := auxInfoFormat.Sprintf( | ||
"[Critical: %d, High: %d, Medium: %d, Low: %d, Unknown: %d, Fixed: %d]", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A quick UX note: maybe we don't show the types that have 0 reported vulnerabilities so this line may be shorter?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my personal thought: Always show all columns. Show all, even if they have "0 count".
Breaking symmetry, can be troublesome, in my opinion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't have a strong opinion about this, just a suggestion and fine as-is 👍
It seems that Mac Acceptance tests failed due to a github out of service error (HTTP 503), can anyone trigger the action again? |
Hey folks -- I love the idea on outputting summarizing vulnerability result information directly in the TUI! I had a few comments.
With these comments in mind, I wanted to put forth an alternative (opinionated) output that addresses these points: This trades horizontal real estate with vertical real estate to show more information. The tree-like output is consistent with how we show related information in the log output and helps to indicate "this additional information belongs to the previous row". What do folks think about this proposal? I tweaked the current branch to output this but didn't push anything yet until I got more feedback. |
I, personally, like this much better @wagoodman -- attaching the information the previous scan item, and helps avoid as wide a line with this info 👍 Going this route, I might move the unknown to its own line, too? |
Is this Feature/PR, related to this ? |
@gh-greg yes (you can also see this in the description and the Development section on the right -- we try our best to link PRs to the issue they relate to) |
Hi, @wagoodman reasoning seems ok to me. How would the |
Regarding Printing Summary:
|
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Updating conflicts and getting this tested now |
* main: (99 commits) chore(deps): bump actions/cache from 3.2.4 to 3.2.5 (anchore#1129) chore(deps): bump github.com/docker/docker (anchore#1128) Update Syft to v0.71.0 (anchore#1126) chore(deps): bump github/codeql-action from 2.2.1 to 2.2.3 (anchore#1125) Update grype bootstrap tools to latest versions. (anchore#1124) chore(deps): bump golang.org/x/term from 0.4.0 to 0.5.0 (anchore#1123) Update grype bootstrap tools to latest versions. (anchore#1122) Update grype bootstrap tools to latest versions. (anchore#1116) Update Syft to v0.70.0 (anchore#1117) chore(deps): bump github.com/docker/docker (anchore#1114) Update grype bootstrap tools to latest versions. (anchore#1112) Update Syft to v0.69.1 (anchore#1111) chore: prune cosign dependency for grype builds (anchore#1100) Update grype bootstrap tools to latest versions. (anchore#1108) Update Syft to v0.69.0 (anchore#1109) chore(deps): bump actions/cache from 3.2.3 to 3.2.4 (anchore#1107) chore: add new images to quality gate (anchore#1106) chore: bump yardstick for better quality gate filtering (anchore#1101) chore(deps): bump actions/cache from 3.0.11 to 3.2.3 (anchore#1096) chore(deps): bump github/codeql-action from 2.1.39 to 2.2.1 (anchore#1097) ... Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Integration tests are failing with a panic - fixing this - then will post a screenshot of the final state - If we're happy with the new visualization we can merge 🥳 |
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
New output format (thanks @wagoodman ): Vs old output: |
There is one todo comment for debug logging - adding that now |
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code I pushed was meant to be illustrative and was PoC-quality (and needed refactoring), my comments really are touching on that aspect.
vulnerabilitiesList
andVulnerabilitiesCategories
are enumerating the severities manually, however, it feels like it should have more of a collection on it. Something likeBySeverity map[vulnerability.Severity]*progress.Manual
(with one extra detail, the public facingVulnerabilitiesCategories
should exposeprogress.Monitorable
and not*progress.Manual
). This way there shouldn't need to be refactors in this area if we add a severity (or remove one).- We should lean more heavily into using
viulnerability.Severity
and surrounding helpers (such asvulnerability.ParseSeveriry
) - Are we leaving off
negligable
severity intentionally? if so, that should be a caller concern (in the log summary handler and tui handler) but the monitor code should still include those severity counts. - nit: naming for
VulnerabilitiesCategories
is awkward since both words are plural. Maybe something more likeVulnerabilityCategories
.
I've got more comments, but I think these could have enough impact to nullify them, I'll wait to hear back about these first.
I'll get the above cleaned up where we have something like BySeverity map. I'll also expose
I'll see if there are are any other helpers we need and expose this further up so we can do something like
No - I'll add that in with the above comments
👍
Cool! I'll address the above and we can do the small clean up after |
…vulnerabilities Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Hi there,
Thank you for keeping "Good first issue".
Let me know if I did it correct.
Notice I haven't include any tests.
close #877
Take care