-
Notifications
You must be signed in to change notification settings - Fork 336
/
githubannotation.go
72 lines (59 loc) · 2.19 KB
/
githubannotation.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
package output
import (
"fmt"
"io"
"log"
"os"
"path/filepath"
"strings"
"github.com/google/osv-scanner/pkg/models"
"github.com/jedib0t/go-pretty/v6/table"
)
// createSourceRemediationTable creates a vulnerability table which includes the fixed versions for a specific source file
func createSourceRemediationTable(source models.PackageSource, groupFixedVersions map[string][]string) table.Writer {
remediationTable := table.NewWriter()
remediationTable.AppendHeader(table.Row{"Package", "Vulnerability ID", "CVSS", "Current Version", "Fixed Version"})
for _, pv := range source.Packages {
for _, group := range pv.Groups {
fixedVersions := groupFixedVersions[source.Source.String()+":"+group.IndexString()]
vulnIDs := []string{}
for _, id := range group.IDs {
vulnIDs = append(vulnIDs, fmt.Sprintf("https://osv.dev/%s", id))
}
remediationTable.AppendRow(table.Row{
pv.Package.Name,
strings.Join(vulnIDs, "\n"),
MaxSeverity(group, pv),
pv.Package.Version,
strings.Join(fixedVersions, "\n")})
}
}
return remediationTable
}
// PrintGHAnnotationReport prints Github specific annotations to outputWriter
func PrintGHAnnotationReport(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) error {
flattened := vulnResult.Flatten()
// TODO: Also support last affected
groupFixedVersions := GroupFixedVersions(flattened)
workingDir, err := os.Getwd()
if err != nil {
log.Panicf("can't get working dir: %v", err)
}
for _, source := range vulnResult.Results {
// TODO: Support docker images
var artifactPath string
var err error
artifactPath, err = filepath.Rel(workingDir, source.Source.Path)
if err != nil {
artifactPath = source.Source.Path
}
remediationTable := createSourceRemediationTable(source, groupFixedVersions)
renderedTable := remediationTable.Render()
// This is required as github action annotations must be on the same terminal line
// so we URL encode the new line character
renderedTable = strings.ReplaceAll(renderedTable, "\n", "%0A")
// Prepend the table with a new line to look nicer in the output
fmt.Fprintf(outputWriter, "::error file=%s::%s%s", artifactPath, artifactPath, "%0A"+renderedTable)
}
return nil
}