Add the total types of vulnerabilities in Grype output

grype/matcher/matchers.go

@@ -4,6 +4,7 @@ import (
 	"github.com/wagoodman/go-partybus"
 	"github.com/wagoodman/go-progress"
 
+	grypeDb "github.com/anchore/grype/grype/db/v5"
 	"github.com/anchore/grype/grype/distro"
 	"github.com/anchore/grype/grype/event"
 	"github.com/anchore/grype/grype/match"
@@ -30,6 +31,51 @@ import (
 type Monitor struct {
 	PackagesProcessed         progress.Monitorable
 	VulnerabilitiesDiscovered progress.Monitorable
+	Fixed                     progress.Monitorable
+	BySeverity                map[vulnerability.Severity]progress.Monitorable
+}
+
+type monitor struct {
+	PackagesProcessed         *progress.Manual
+	VulnerabilitiesDiscovered *progress.Manual
+	Fixed                     *progress.Manual
+	BySeverity                map[vulnerability.Severity]*progress.Manual
+}
+
+func newMonitor() (monitor, Monitor) {
+	manualBySev := make(map[vulnerability.Severity]*progress.Manual)
+	for _, severity := range vulnerability.AllSeverities() {
+		manualBySev[severity] = progress.NewManual(-1)
+	}
+	manualBySev[vulnerability.UnknownSeverity] = progress.NewManual(-1)
+
+	m := monitor{
+		PackagesProcessed:         progress.NewManual(-1),
+		VulnerabilitiesDiscovered: progress.NewManual(-1),
+		Fixed:                     progress.NewManual(-1),
+		BySeverity:                manualBySev,
+	}
+
+	monitorableBySev := make(map[vulnerability.Severity]progress.Monitorable)
+	for sev, manual := range manualBySev {
+		monitorableBySev[sev] = manual
+	}
+
+	return m, Monitor{
+		PackagesProcessed:         m.PackagesProcessed,
+		VulnerabilitiesDiscovered: m.VulnerabilitiesDiscovered,
+		Fixed:                     m.Fixed,
+		BySeverity:                monitorableBySev,
+	}
+}
+
+func (m *monitor) SetCompleted() {
+	m.PackagesProcessed.SetCompleted()
+	m.VulnerabilitiesDiscovered.SetCompleted()
+	m.Fixed.SetCompleted()
+	for _, v := range m.BySeverity {
+		v.SetCompleted()
+	}
 }
 
 // Config contains values used by individual matcher structs for advanced configuration
@@ -60,18 +106,15 @@ func NewDefaultMatchers(mc Config) []Matcher {
 	}
 }
 
-func trackMatcher() (*progress.Manual, *progress.Manual) {
-	packagesProcessed := progress.Manual{}
-	vulnerabilitiesDiscovered := progress.Manual{}
+func trackMatcher() *monitor {
+	writer, reader := newMonitor()
 
 	bus.Publish(partybus.Event{
-		Type: event.VulnerabilityScanningStarted,
-		Value: Monitor{
-			PackagesProcessed:         progress.Monitorable(&packagesProcessed),
-			VulnerabilitiesDiscovered: progress.Monitorable(&vulnerabilitiesDiscovered),
-		},
+		Type:  event.VulnerabilityScanningStarted,
+		Value: reader,
 	})
-	return &packagesProcessed, &vulnerabilitiesDiscovered
+
+	return &writer
 }
 
 func newMatcherIndex(matchers []Matcher) (map[syftPkg.Type][]Matcher, Matcher) {
@@ -97,6 +140,7 @@ func newMatcherIndex(matchers []Matcher) (map[syftPkg.Type][]Matcher, Matcher) {
 
 func FindMatches(store interface {
 	vulnerability.Provider
+	vulnerability.MetadataProvider
 	match.ExclusionProvider
 }, release *linux.Release, matchers []Matcher, packages []pkg.Package) match.Matches {
 	var err error
@@ -115,13 +159,13 @@ func FindMatches(store interface {
 		}
 	}
 
-	packagesProcessed, vulnerabilitiesDiscovered := trackMatcher()
+	progressMonitor := trackMatcher()
 
 	if defaultMatcher == nil {
 		defaultMatcher = stock.NewStockMatcher(stock.MatcherConfig{UseCPEs: true})
 	}
 	for _, p := range packages {
-		packagesProcessed.Increment()
+		progressMonitor.PackagesProcessed.Increment()
 		log.Debugf("searching for vulnerability matches for pkg=%s", p)
 
 		matchAgainst, ok := matcherIndex[p.Type]
@@ -135,20 +179,64 @@ func FindMatches(store interface {
 			} else {
 				logMatches(p, matches)
 				res.Add(matches...)
-				vulnerabilitiesDiscovered.Add(int64(len(matches)))
+				progressMonitor.VulnerabilitiesDiscovered.Add(int64(len(matches)))
+				updateVulnerabilityList(progressMonitor, matches, store)
 			}
 		}
 	}
 
-	packagesProcessed.SetCompleted()
-	vulnerabilitiesDiscovered.SetCompleted()
+	progressMonitor.SetCompleted()
+
+	logListSummary(progressMonitor)
 
 	// Filter out matches based off of the records in the exclusion table in the database or from the old hard-coded rules
 	res = match.ApplyExplicitIgnoreRules(store, res)
 
 	return res
 }
 
+func logListSummary(vl *monitor) {
+	log.Infof("found %d vulnerabilities for %d packages", vl.VulnerabilitiesDiscovered.Current(), vl.PackagesProcessed.Current())
+	log.Debugf("  ├── fixed: %d", vl.Fixed.Current())
+	log.Debugf("  └── matched: %d", vl.VulnerabilitiesDiscovered.Current())
+
+	var unknownCount int64
+	if count, ok := vl.BySeverity[vulnerability.UnknownSeverity]; ok {
+		unknownCount = count.Current()
+	}
+	log.Debugf("      ├── %s: %d", vulnerability.UnknownSeverity.String(), unknownCount)
+
+	allSeverities := vulnerability.AllSeverities()
+	for idx, sev := range allSeverities {
+		branch := "├"
+		if idx == len(allSeverities)-1 {
+			branch = "└"
+		}
+		log.Debugf("      %s── %s: %d", branch, sev.String(), vl.BySeverity[sev].Current())
+	}
+}
+
+func updateVulnerabilityList(list *monitor, matches []match.Match, metadataProvider vulnerability.MetadataProvider) {
+	for _, m := range matches {
+		metadata, err := metadataProvider.GetMetadata(m.Vulnerability.ID, m.Vulnerability.Namespace)
+		if err != nil || metadata == nil {
+			list.BySeverity[vulnerability.UnknownSeverity].Increment()
+			continue
+		}
+
+		sevManualProgress, ok := list.BySeverity[vulnerability.ParseSeverity(metadata.Severity)]
+		if !ok {
+			list.BySeverity[vulnerability.UnknownSeverity].Increment()
+			continue
+		}
+		sevManualProgress.Increment()
+
+		if m.Vulnerability.Fix.State == grypeDb.FixedState {
+			list.Fixed.Increment()
+		}
+	}
+}
+
 func logMatches(p pkg.Package, matches []match.Match) {
 	if len(matches) > 0 {
 		log.Debugf("found %d vulnerabilities for pkg=%s", len(matches), p)

grype/vulnerability/severity.go

@@ -12,24 +12,28 @@ const (
 )
 
 var matcherTypeStr = []string{
-	"UnknownSeverity",
+	"unknown severity",
 	"negligible",
 	"low",
 	"medium",
 	"high",
 	"critical",
 }
 
-var AllSeverities = []Severity{
-	NegligibleSeverity,
-	LowSeverity,
-	MediumSeverity,
-	HighSeverity,
-	CriticalSeverity,
+func AllSeverities() []Severity {
+	return []Severity{
+		NegligibleSeverity,
+		LowSeverity,
+		MediumSeverity,
+		HighSeverity,
+		CriticalSeverity,
+	}
 }
 
 type Severity int
 
+type Severities []Severity
+
 func (f Severity) String() string {
 	if int(f) >= len(matcherTypeStr) || f < 0 {
 		return matcherTypeStr[0]
@@ -54,3 +58,15 @@ func ParseSeverity(severity string) Severity {
 		return UnknownSeverity
 	}
 }
+
+func (s Severities) Len() int {
+	return len(s)
+}
+
+func (s Severities) Swap(i, j int) {
+	s[i], s[j] = s[j], s[i]
+}
+
+func (s Severities) Less(i, j int) bool {
+	return s[i] < s[j]
+}

test/integration/db_mock_test.go

@@ -219,3 +219,11 @@ func (s *mockStore) SearchForVulnerabilities(namespace, name string) ([]grypeDB.
 func (s *mockStore) GetAllVulnerabilities() (*[]grypeDB.Vulnerability, error) {
 	return nil, nil
 }
+
+func (s *mockStore) GetVulnerabilityMetadata(id string, namespace string) (*grypeDB.VulnerabilityMetadata, error) {
+	return nil, nil
+}
+
+func (s *mockStore) GetAllVulnerabilityMetadata() (*[]grypeDB.VulnerabilityMetadata, error) {
+	return nil, nil
+}

test/integration/match_by_image_test.go

@@ -600,10 +600,11 @@ func TestMatchByImage(t *testing.T) {
 
 			vp, err := db.NewVulnerabilityProvider(theStore)
 			require.NoError(t, err)
+			mp := db.NewVulnerabilityMetadataProvider(theStore)
 			ep := db.NewMatchExclusionProvider(theStore)
 			str := store.Store{
 				Provider:          vp,
-				MetadataProvider:  nil,
+				MetadataProvider:  mp,
 				ExclusionProvider: ep,
 			}
 

test/integration/match_by_sbom_document_test.go

@@ -79,10 +79,11 @@ func TestMatchBySBOMDocument(t *testing.T) {
 			mkStr := newMockDbStore()
 			vp, err := db.NewVulnerabilityProvider(mkStr)
 			require.NoError(t, err)
+			mp := db.NewVulnerabilityMetadataProvider(mkStr)
 			ep := db.NewMatchExclusionProvider(mkStr)
 			str := store.Store{
 				Provider:          vp,
-				MetadataProvider:  nil,
+				MetadataProvider:  mp,
 				ExclusionProvider: ep,
 			}
 			matches, _, _, err := grype.FindVulnerabilities(str, fmt.Sprintf("sbom:%s", test.fixture), source.SquashedScope, nil)