[v1.3.0] Only trigger vuln threshold on fixable vulns #122
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
had a problem deploying
to
plugin-development
GitHub Actions
Failure
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
changed the title
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
had a problem deploying
to
plugin-development
GitHub Actions
Failure
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
had a problem deploying
to
plugin-development
GitHub Actions
Failure
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
temporarily deployed
to
plugin-development
GitHub Actions
Inactive
bluesentinelsec
added a commit
that referenced
this pull request
Jul 1, 2025
* Feature request 91 (#115) * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit bc532d4. * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * FR-91: Fix unit tests * FR-91: Fix typo in unit tests * Revert "FR-91: Fix typo in unit tests" This reverts commit e645542. * Revert "FR-91: Fix unit tests" This reverts commit f9157c9. * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit 812c685. * FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present * FR-91: Fixed missing variable * FR-91: Fixed typo * FR-91: Fixed typo * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * Add unit test for get_vuln_count * Fix unit test for get_vuln_count --------- Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> * Clarify license of inspector-sbomgen dependency (#121) Co-authored-by: Michael Long <mlongii@amazon.com> * [v1.3.0] Only trigger vuln threshold on fixable vulns (#122) * Add --threshold-fixable-only to CLI * implemented business logic * changed 'threshold_fixable_only' from str to bool * Added more test coverage and CLI refinements * debugging failing unit test * test threshold-fixable-only in workflow * test threshold-fixable-only in workflow * debugging CI/CD * debugging CI/CD * debugging * debugging * debugging * debugging * removed debug log showing CLI arguments * add missing argument, fixed_vuln_counts * simplify get_fixed_vuln_counts() return values * refactor return types in get_scan_result() * refactor * refine get_fixed_vuln_counts() * update test_get_fixed_vuln_counts() * testing case sensitivity * revert 'TRUE' to 'true' * use debug log when vuln doesnt have rating * integrate --show-only-fixable-vulns (part 1) * integrate only show fixable vulns * test example workflows * fix CLI input arguments * remove leading '-' character for conditional inclusion * add a no-op CLI arg (workaround) * enable new arguments in workflows * fix failing test * update workflows for prod --------- Co-authored-by: Michael Long <mlongii@amazon.com> * set workflows to v1.3.0 for burn-in --------- Co-authored-by: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> Co-authored-by: Michael Long <mlongii@amazon.com>
bluesentinelsec
added a commit
that referenced
this pull request
Jul 1, 2025
* replace scanner example (#84) * Write CSV with no vulns (#86) * reproducing issue - test 1 * resolve issue 85 - test 2 * test 3 * test fix --------- Co-authored-by: Michael Long <mlongii@amazon.com> * testing CSV with no vulns * test against main branch * Write Dockerfile CSV and Markdown on no vulns (#88) Co-authored-by: Michael Long <mlongii@amazon.com> * Set example workflows to main branch for testing * Display 'no vulns found' for Dockerfiles (#92) Co-authored-by: Michael Long <mlongii@amazon.com> * Tweak dockerfile report (#93) Co-authored-by: Michael Long <mlongii@amazon.com> * Omit Dockerfile table on no vulns (#94) Co-authored-by: Michael Long <mlongii@amazon.com> * Updated workflows to v1.x - testing auto-updates (#96) Co-authored-by: Michael Long <mlongii@amazon.com> * update README (#97) Co-authored-by: Michael Long <mlongii@amazon.com> * Extend vulnerability severity providers (#98) * Add severity providers: GHSA, GitLab * Add severity providers: GHSA, GitLab * Add REDHAT_CVE and UBUNTU_CVE providers * rename GHSA to GITHUB --------- Co-authored-by: Michael Long <mlongii@amazon.com> * Add platform argument for container image scans (#102) * add --platform support for multi-arch containers * test multi-arch images on current branch * test actions against sbomgen 1.5.1-beta * fix --platform parsing error * fix platform parsing bug * test workflows on sbomgen latest (1.5.2) * Validate --platform input * Add more test cases, and revert workflow definitions * fix typo in platform arg --------- Co-authored-by: Michael Long <mlongii@amazon.com> * Improve severity rating consistency (#112) * fix severity rating mismatch * temporarily add a test workflow * Fix type issue: float provided, expected string * Rename workflow / job name * Add severity comparison logic * Revise severity sorting and selection logic * return default values on error * skip EPSS ratings for severity column * debugging unknown ratings * fix ratings with unknown name * Verify AMAZON_INSPECTOR renders correctly * fix failing test * temporarily disable failing tests * pass unit test: test_parse_inspector_scan_result * pass unit tests * change '-f' to '--failfast' for clarity * Remove unused type cast * refactor csv test * severity is rendered as 'other' not 'unknown' * test build on all actions * normalize dockerfile findings severity rating * debugging dockerfile severity * debugging * Normalize Dockerfile severity 'info' to 'other' * restore test actions * minor comment update * Remove develop workflow * Address PR feedback * test workflows against refactor * handle edge case CVE-2025-22871 * fix missing severity edge case * debugging epss * debugging * fix flawed test * added test case for absent severity rating * revert workflows to v1 --------- Co-authored-by: Michael Long <mlongii@amazon.com> * Feature request 91 (#115) * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit bc532d4. * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * FR-91: Fix unit tests * FR-91: Fix typo in unit tests * Revert "FR-91: Fix typo in unit tests" This reverts commit e645542. * Revert "FR-91: Fix unit tests" This reverts commit f9157c9. * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit 812c685. * FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present * FR-91: Fixed missing variable * FR-91: Fixed typo * FR-91: Fixed typo * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * Add unit test for get_vuln_count * Fix unit test for get_vuln_count --------- Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> * Clarify license of inspector-sbomgen dependency (#121) Co-authored-by: Michael Long <mlongii@amazon.com> * [v1.3.0] Only trigger vuln threshold on fixable vulns (#122) * Add --threshold-fixable-only to CLI * implemented business logic * changed 'threshold_fixable_only' from str to bool * Added more test coverage and CLI refinements * debugging failing unit test * test threshold-fixable-only in workflow * test threshold-fixable-only in workflow * debugging CI/CD * debugging CI/CD * debugging * debugging * debugging * debugging * removed debug log showing CLI arguments * add missing argument, fixed_vuln_counts * simplify get_fixed_vuln_counts() return values * refactor return types in get_scan_result() * refactor * refine get_fixed_vuln_counts() * update test_get_fixed_vuln_counts() * testing case sensitivity * revert 'TRUE' to 'true' * use debug log when vuln doesnt have rating * integrate --show-only-fixable-vulns (part 1) * integrate only show fixable vulns * test example workflows * fix CLI input arguments * remove leading '-' character for conditional inclusion * add a no-op CLI arg (workaround) * enable new arguments in workflows * fix failing test * update workflows for prod --------- Co-authored-by: Michael Long <mlongii@amazon.com> * set workflows to v1.3.0 for burn-in --------- Co-authored-by: clueleaf <10379303+clueleaf@users.noreply.github.com> Co-authored-by: Michael Long <mlongii@amazon.com> Co-authored-by: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com>
bluesentinelsec
added a commit
that referenced
this pull request
Jul 1, 2025
* Feature request 91 (#115) * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit bc532d4. * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * FR-91: Fix unit tests * FR-91: Fix typo in unit tests * Revert "FR-91: Fix typo in unit tests" This reverts commit e645542. * Revert "FR-91: Fix unit tests" This reverts commit f9157c9. * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit 812c685. * FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present * FR-91: Fixed missing variable * FR-91: Fixed typo * FR-91: Fixed typo * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * Add unit test for get_vuln_count * Fix unit test for get_vuln_count --------- Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> * Clarify license of inspector-sbomgen dependency (#121) Co-authored-by: Michael Long <mlongii@amazon.com> * [v1.3.0] Only trigger vuln threshold on fixable vulns (#122) * Add --threshold-fixable-only to CLI * implemented business logic * changed 'threshold_fixable_only' from str to bool * Added more test coverage and CLI refinements * debugging failing unit test * test threshold-fixable-only in workflow * test threshold-fixable-only in workflow * debugging CI/CD * debugging CI/CD * debugging * debugging * debugging * debugging * removed debug log showing CLI arguments * add missing argument, fixed_vuln_counts * simplify get_fixed_vuln_counts() return values * refactor return types in get_scan_result() * refactor * refine get_fixed_vuln_counts() * update test_get_fixed_vuln_counts() * testing case sensitivity * revert 'TRUE' to 'true' * use debug log when vuln doesnt have rating * integrate --show-only-fixable-vulns (part 1) * integrate only show fixable vulns * test example workflows * fix CLI input arguments * remove leading '-' character for conditional inclusion * add a no-op CLI arg (workaround) * enable new arguments in workflows * fix failing test * update workflows for prod --------- Co-authored-by: Michael Long <mlongii@amazon.com> * set workflows to v1.3.0 for burn-in --------- Co-authored-by: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> Co-authored-by: Michael Long <mlongii@amazon.com>
bluesentinelsec
added a commit
that referenced
this pull request
Sep 16, 2025
* replace scanner example (#84) * Write CSV with no vulns (#86) * reproducing issue - test 1 * resolve issue 85 - test 2 * test 3 * test fix --------- Co-authored-by: Michael Long <mlongii@amazon.com> * testing CSV with no vulns * test against main branch * Write Dockerfile CSV and Markdown on no vulns (#88) Co-authored-by: Michael Long <mlongii@amazon.com> * Set example workflows to main branch for testing * Display 'no vulns found' for Dockerfiles (#92) Co-authored-by: Michael Long <mlongii@amazon.com> * Tweak dockerfile report (#93) Co-authored-by: Michael Long <mlongii@amazon.com> * Omit Dockerfile table on no vulns (#94) Co-authored-by: Michael Long <mlongii@amazon.com> * Updated workflows to v1.x - testing auto-updates (#96) Co-authored-by: Michael Long <mlongii@amazon.com> * update README (#97) Co-authored-by: Michael Long <mlongii@amazon.com> * Extend vulnerability severity providers (#98) * Add severity providers: GHSA, GitLab * Add severity providers: GHSA, GitLab * Add REDHAT_CVE and UBUNTU_CVE providers * rename GHSA to GITHUB --------- Co-authored-by: Michael Long <mlongii@amazon.com> * Add platform argument for container image scans (#102) * add --platform support for multi-arch containers * test multi-arch images on current branch * test actions against sbomgen 1.5.1-beta * fix --platform parsing error * fix platform parsing bug * test workflows on sbomgen latest (1.5.2) * Validate --platform input * Add more test cases, and revert workflow definitions * fix typo in platform arg --------- Co-authored-by: Michael Long <mlongii@amazon.com> * Improve severity rating consistency (#112) * fix severity rating mismatch * temporarily add a test workflow * Fix type issue: float provided, expected string * Rename workflow / job name * Add severity comparison logic * Revise severity sorting and selection logic * return default values on error * skip EPSS ratings for severity column * debugging unknown ratings * fix ratings with unknown name * Verify AMAZON_INSPECTOR renders correctly * fix failing test * temporarily disable failing tests * pass unit test: test_parse_inspector_scan_result * pass unit tests * change '-f' to '--failfast' for clarity * Remove unused type cast * refactor csv test * severity is rendered as 'other' not 'unknown' * test build on all actions * normalize dockerfile findings severity rating * debugging dockerfile severity * debugging * Normalize Dockerfile severity 'info' to 'other' * restore test actions * minor comment update * Remove develop workflow * Address PR feedback * test workflows against refactor * handle edge case CVE-2025-22871 * fix missing severity edge case * debugging epss * debugging * fix flawed test * added test case for absent severity rating * revert workflows to v1 --------- Co-authored-by: Michael Long <mlongii@amazon.com> * v1.3.0 (#123) * Feature request 91 (#115) * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit bc532d4. * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * FR-91: Fix unit tests * FR-91: Fix typo in unit tests * Revert "FR-91: Fix typo in unit tests" This reverts commit e645542. * Revert "FR-91: Fix unit tests" This reverts commit f9157c9. * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit 812c685. * FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present * FR-91: Fixed missing variable * FR-91: Fixed typo * FR-91: Fixed typo * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * Add unit test for get_vuln_count * Fix unit test for get_vuln_count --------- Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> * Clarify license of inspector-sbomgen dependency (#121) Co-authored-by: Michael Long <mlongii@amazon.com> * [v1.3.0] Only trigger vuln threshold on fixable vulns (#122) * Add --threshold-fixable-only to CLI * implemented business logic * changed 'threshold_fixable_only' from str to bool * Added more test coverage and CLI refinements * debugging failing unit test * test threshold-fixable-only in workflow * test threshold-fixable-only in workflow * debugging CI/CD * debugging CI/CD * debugging * debugging * debugging * debugging * removed debug log showing CLI arguments * add missing argument, fixed_vuln_counts * simplify get_fixed_vuln_counts() return values * refactor return types in get_scan_result() * refactor * refine get_fixed_vuln_counts() * update test_get_fixed_vuln_counts() * testing case sensitivity * revert 'TRUE' to 'true' * use debug log when vuln doesnt have rating * integrate --show-only-fixable-vulns (part 1) * integrate only show fixable vulns * test example workflows * fix CLI input arguments * remove leading '-' character for conditional inclusion * add a no-op CLI arg (workaround) * enable new arguments in workflows * fix failing test * update workflows for prod --------- Co-authored-by: Michael Long <mlongii@amazon.com> * set workflows to v1.3.0 for burn-in --------- Co-authored-by: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> Co-authored-by: Michael Long <mlongii@amazon.com> * Sync main to v1.3.0 (#126) * Feature request 91 (#115) * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit bc532d4. * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * FR-91: Fix unit tests * FR-91: Fix typo in unit tests * Revert "FR-91: Fix typo in unit tests" This reverts commit e645542. * Revert "FR-91: Fix unit tests" This reverts commit f9157c9. * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit 812c685. * FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present * FR-91: Fixed missing variable * FR-91: Fixed typo * FR-91: Fixed typo * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * Add unit test for get_vuln_count * Fix unit test for get_vuln_count --------- Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> * Clarify license of inspector-sbomgen dependency (#121) Co-authored-by: Michael Long <mlongii@amazon.com> * [v1.3.0] Only trigger vuln threshold on fixable vulns (#122) * Add --threshold-fixable-only to CLI * implemented business logic * changed 'threshold_fixable_only' from str to bool * Added more test coverage and CLI refinements * debugging failing unit test * test threshold-fixable-only in workflow * test threshold-fixable-only in workflow * debugging CI/CD * debugging CI/CD * debugging * debugging * debugging * debugging * removed debug log showing CLI arguments * add missing argument, fixed_vuln_counts * simplify get_fixed_vuln_counts() return values * refactor return types in get_scan_result() * refactor * refine get_fixed_vuln_counts() * update test_get_fixed_vuln_counts() * testing case sensitivity * revert 'TRUE' to 'true' * use debug log when vuln doesnt have rating * integrate --show-only-fixable-vulns (part 1) * integrate only show fixable vulns * test example workflows * fix CLI input arguments * remove leading '-' character for conditional inclusion * add a no-op CLI arg (workaround) * enable new arguments in workflows * fix failing test * update workflows for prod --------- Co-authored-by: Michael Long <mlongii@amazon.com> * set workflows to v1.3.0 for burn-in --------- Co-authored-by: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> Co-authored-by: Michael Long <mlongii@amazon.com> * Verify v1 tag works * Verify action against 1.x * v1.4.0 (#133) * Use aws-cli instead of amazonlinux to speed up container build time (#128) * Change Dockerfile source image to aws-cli * Set WORKDIR back to default value --------- Co-authored-by: Joshua-Grisham_SSCSpace <joshua.grisham@sscspace.com> * set workflows to develop for aws-cli runtime tests * add explicit permissions to GitHub Actions workflows (#130) * Measuring installation time (#131) (#132) * measuring installation time * Change workflows to point to v1.4.0 branch --------- Co-authored-by: Joshua Grisham <josh@joshuagrisham.com> Co-authored-by: Joshua-Grisham_SSCSpace <joshua.grisham@sscspace.com> --------- Co-authored-by: clueleaf <10379303+clueleaf@users.noreply.github.com> Co-authored-by: Michael Long <mlongii@amazon.com> Co-authored-by: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> Co-authored-by: Joshua Grisham <josh@joshuagrisham.com> Co-authored-by: Joshua-Grisham_SSCSpace <joshua.grisham@sscspace.com>
bluesentinelsec
added a commit
that referenced
this pull request
Sep 24, 2025
* replace scanner example (#84) * Write CSV with no vulns (#86) * reproducing issue - test 1 * resolve issue 85 - test 2 * test 3 * test fix --------- Co-authored-by: Michael Long <mlongii@amazon.com> * testing CSV with no vulns * test against main branch * Write Dockerfile CSV and Markdown on no vulns (#88) Co-authored-by: Michael Long <mlongii@amazon.com> * Set example workflows to main branch for testing * Display 'no vulns found' for Dockerfiles (#92) Co-authored-by: Michael Long <mlongii@amazon.com> * Tweak dockerfile report (#93) Co-authored-by: Michael Long <mlongii@amazon.com> * Omit Dockerfile table on no vulns (#94) Co-authored-by: Michael Long <mlongii@amazon.com> * Updated workflows to v1.x - testing auto-updates (#96) Co-authored-by: Michael Long <mlongii@amazon.com> * update README (#97) Co-authored-by: Michael Long <mlongii@amazon.com> * Extend vulnerability severity providers (#98) * Add severity providers: GHSA, GitLab * Add severity providers: GHSA, GitLab * Add REDHAT_CVE and UBUNTU_CVE providers * rename GHSA to GITHUB --------- Co-authored-by: Michael Long <mlongii@amazon.com> * Add platform argument for container image scans (#102) * add --platform support for multi-arch containers * test multi-arch images on current branch * test actions against sbomgen 1.5.1-beta * fix --platform parsing error * fix platform parsing bug * test workflows on sbomgen latest (1.5.2) * Validate --platform input * Add more test cases, and revert workflow definitions * fix typo in platform arg --------- Co-authored-by: Michael Long <mlongii@amazon.com> * Improve severity rating consistency (#112) * fix severity rating mismatch * temporarily add a test workflow * Fix type issue: float provided, expected string * Rename workflow / job name * Add severity comparison logic * Revise severity sorting and selection logic * return default values on error * skip EPSS ratings for severity column * debugging unknown ratings * fix ratings with unknown name * Verify AMAZON_INSPECTOR renders correctly * fix failing test * temporarily disable failing tests * pass unit test: test_parse_inspector_scan_result * pass unit tests * change '-f' to '--failfast' for clarity * Remove unused type cast * refactor csv test * severity is rendered as 'other' not 'unknown' * test build on all actions * normalize dockerfile findings severity rating * debugging dockerfile severity * debugging * Normalize Dockerfile severity 'info' to 'other' * restore test actions * minor comment update * Remove develop workflow * Address PR feedback * test workflows against refactor * handle edge case CVE-2025-22871 * fix missing severity edge case * debugging epss * debugging * fix flawed test * added test case for absent severity rating * revert workflows to v1 --------- Co-authored-by: Michael Long <mlongii@amazon.com> * v1.3.0 (#123) * Feature request 91 (#115) * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit bc532d4. * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * FR-91: Fix unit tests * FR-91: Fix typo in unit tests * Revert "FR-91: Fix typo in unit tests" This reverts commit e645542. * Revert "FR-91: Fix unit tests" This reverts commit f9157c9. * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit 812c685. * FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present * FR-91: Fixed missing variable * FR-91: Fixed typo * FR-91: Fixed typo * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * Add unit test for get_vuln_count * Fix unit test for get_vuln_count --------- Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> * Clarify license of inspector-sbomgen dependency (#121) Co-authored-by: Michael Long <mlongii@amazon.com> * [v1.3.0] Only trigger vuln threshold on fixable vulns (#122) * Add --threshold-fixable-only to CLI * implemented business logic * changed 'threshold_fixable_only' from str to bool * Added more test coverage and CLI refinements * debugging failing unit test * test threshold-fixable-only in workflow * test threshold-fixable-only in workflow * debugging CI/CD * debugging CI/CD * debugging * debugging * debugging * debugging * removed debug log showing CLI arguments * add missing argument, fixed_vuln_counts * simplify get_fixed_vuln_counts() return values * refactor return types in get_scan_result() * refactor * refine get_fixed_vuln_counts() * update test_get_fixed_vuln_counts() * testing case sensitivity * revert 'TRUE' to 'true' * use debug log when vuln doesnt have rating * integrate --show-only-fixable-vulns (part 1) * integrate only show fixable vulns * test example workflows * fix CLI input arguments * remove leading '-' character for conditional inclusion * add a no-op CLI arg (workaround) * enable new arguments in workflows * fix failing test * update workflows for prod --------- Co-authored-by: Michael Long <mlongii@amazon.com> * set workflows to v1.3.0 for burn-in --------- Co-authored-by: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> Co-authored-by: Michael Long <mlongii@amazon.com> * Sync main to v1.3.0 (#126) * Feature request 91 (#115) * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit bc532d4. * FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts * FR-91: Fix unit tests * FR-91: Fix typo in unit tests * Revert "FR-91: Fix typo in unit tests" This reverts commit e645542. * Revert "FR-91: Fix unit tests" This reverts commit f9157c9. * Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts" This reverts commit 812c685. * FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present * FR-91: Fixed missing variable * FR-91: Fixed typo * FR-91: Fixed typo * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * FR-91: Another fix * Add unit test for get_vuln_count * Fix unit test for get_vuln_count --------- Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> * Clarify license of inspector-sbomgen dependency (#121) Co-authored-by: Michael Long <mlongii@amazon.com> * [v1.3.0] Only trigger vuln threshold on fixable vulns (#122) * Add --threshold-fixable-only to CLI * implemented business logic * changed 'threshold_fixable_only' from str to bool * Added more test coverage and CLI refinements * debugging failing unit test * test threshold-fixable-only in workflow * test threshold-fixable-only in workflow * debugging CI/CD * debugging CI/CD * debugging * debugging * debugging * debugging * removed debug log showing CLI arguments * add missing argument, fixed_vuln_counts * simplify get_fixed_vuln_counts() return values * refactor return types in get_scan_result() * refactor * refine get_fixed_vuln_counts() * update test_get_fixed_vuln_counts() * testing case sensitivity * revert 'TRUE' to 'true' * use debug log when vuln doesnt have rating * integrate --show-only-fixable-vulns (part 1) * integrate only show fixable vulns * test example workflows * fix CLI input arguments * remove leading '-' character for conditional inclusion * add a no-op CLI arg (workaround) * enable new arguments in workflows * fix failing test * update workflows for prod --------- Co-authored-by: Michael Long <mlongii@amazon.com> * set workflows to v1.3.0 for burn-in --------- Co-authored-by: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> Co-authored-by: Michael Long <mlongii@amazon.com> * Verify v1 tag works * Verify action against 1.x * v1.4.0 (#133) * Use aws-cli instead of amazonlinux to speed up container build time (#128) * Change Dockerfile source image to aws-cli * Set WORKDIR back to default value --------- Co-authored-by: Joshua-Grisham_SSCSpace <joshua.grisham@sscspace.com> * set workflows to develop for aws-cli runtime tests * add explicit permissions to GitHub Actions workflows (#130) * Measuring installation time (#131) (#132) * measuring installation time * Change workflows to point to v1.4.0 branch --------- Co-authored-by: Joshua Grisham <josh@joshuagrisham.com> Co-authored-by: Joshua-Grisham_SSCSpace <joshua.grisham@sscspace.com> * (v1.4.1 hotfix) Fix multi-arch container image scanning (#138) * added multi-arch image workflow * disable scan validator * debugging multi arch CICD * added 'platform' argument to action.yml * set action version to investigation branch * test amd64 images * test multi-arch matrix * verify workaround * Add multi-platform validation to prevent regression of platform argument - Add validate_multi_platform_image_support.py script to validate SBOM architecture matches expected platform - Update test_multi_arch_images.yml workflow to validate platform argument is correctly passed through to inspector-sbomgen * re-enable inspector scan validation * remove inspector-scan validator, not applicable * remove boilerplate * test action against multi-arch fix * revert test workflows to v1.4.0 * remove emoji characters from console logs * update workflows to v1.4.1 (#139) * update multi arch test to v1.4.1 (#140) * update version.txt to v1.4.1 --------- Co-authored-by: clueleaf <10379303+clueleaf@users.noreply.github.com> Co-authored-by: Michael Long <mlongii@amazon.com> Co-authored-by: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com> Co-authored-by: Joshua Grisham <josh@joshuagrisham.com> Co-authored-by: Joshua-Grisham_SSCSpace <joshua.grisham@sscspace.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
This action permits users to perform custom logic if a vulnerability threshold is exceeded. For example, the user can specify that they wish to fail the scan if 1 or more critical vulnerabilities are present. An example of this can be seen here.
The problem is, this action does not distinguish between vulnerabilities with or without a fix when determining if the vulnerability threshold is exceeded. Users have asked that we extend this behavior to trigger the threshold-exceeded flag only if found vulnerabilities are fixable (see here).
Behavior before changes
Before this PR, the action would count all identified vulnerabilities towards the threshold exceeded flag, regardless of whether a fix was available or not.
Behavior after changes
After this PR, if the user toggles
--threshold-fixable-only, then only vulnerabilities with a fix will be counted towards the threshold exceeded flag. Vulnerabilities without a fix will not count towards the threshold exceeded flag. In that way, users can decide how they want to respond to only fixable vulnerabilities, while ignoring vulns without an available fix.User experience
Users can opt-into this feature by adding a flag to their Inspector workflows,
threshold_fixable_only, shown below.Testing the changes
It is difficult to find a resource that only contains unfixable vulnerabilities.
Therefore, we've settled for mocking scan results to prove this feature works as intended.
Reviewers can experiment with the changes from the CLI, shown below: