The markdown format is not supported

[ulrich]

Hello Team,

I am testing with real pleasure the tool but when I tried some commands I figured out that the markdown format output doesn't seem to work on the last version.

Commands:

❯ docker scout cves --exit-code --ignore-base --only-fixed --only-severity critical,high --format sarif --output mega.sarif mega:1.5.0
    ✓ SBOM of image already cached, 282 packages indexed
    ✓ Ignoring packages and vulnerabilities from base image openjdk
    ✗ Detected 5 vulnerable packages with a total of 8 vulnerabilities
    ✓ Report written to mega.sarif

❯ docker scout cves --exit-code --ignore-base --only-fixed --only-severity critical,high --format packages --output mega.packages mega:1.5.0
    ✓ SBOM of image already cached, 282 packages indexed
    ✓ Ignoring packages and vulnerabilities from base image openjdk
    ✗ Detected 5 vulnerable packages with a total of 8 vulnerabilities
    ✓ Report written to mega.packages

❯ docker scout cves --exit-code --ignore-base --only-fixed --only-severity critical,high --format markdown --output mega.markdown mega:1.5.0

...
Learn More
  Read docker scout cli reference at https://docs.docker.com/engine/reference/commandline/scout/
ERROR   Status: please provide a valid format, Code: 1

Test version:

❯ docker scout version
version: 0.22.2 (go1.20.6 - linux/amd64)
git commit: 7e5413c2e22976e2de12c9889d2f7aa884c7fc7c

Maybe I missed something?

Ulrich

[eunomie]

Hi @ulrich , hope you're doing well and happy to see you there 👋

Let me check what's going wrong here and I'll come back to you.

[eunomie]

@ulrich: here is the v0.22.3 that should solve your issue: https://github.com/docker/scout-cli/releases/tag/v0.22.3

Just to note that the markdown output has been made with GH PR comments in mind, so the markdown contains a lot of html tags (collapsible content and more control over the tables).

See the example in the following comment.

Happy to take any feedback on it :-)

[eunomie]

🔍 Vulnerabilities of ***/***:***

📦 Image Reference ***/***:***

digest	sha256:13e688445ffc2ff7f5d1d6bc48f2d2a1bfead36131fbe609d7cb54c6b76aace8
vulnerabilities
platform	linux/arm64
size	27 MB
packages	294

libssl3 3.1.0-r4 (apk) pkg:apk/alpine/libssl3@3.1.0-r4?arch=aarch64&upstream=openssl&distro=alpine-3.18.0 # Dockerfile (1:1) FROM alpine:3.18 Affected range <3.1.1-r0 Fixed version 3.1.1-r0 Description Affected range <3.1.1-r3 Fixed version 3.1.1-r3 Description Affected range <3.1.1-r2 Fixed version 3.1.1-r2 Description Affected range <3.1.2-r0 Fixed version 3.1.2-r0 Description

semver 7.5.0 (npm) pkg:npm/semver@7.5.0 # Dockerfile (3:3) RUN apk add --no-cache npm Inefficient Regular Expression Complexity Affected range >=7.0.0 <7.5.2 Fixed version 7.5.2 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Description Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

[ulrich]

Nice job, it works as expected!

I continue the tests of Scout 👍

Have a good day Yves.