Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GrypeParser: added artifact name and type to report #978

Merged
merged 3 commits into from
Nov 25, 2023
Merged

GrypeParser: added artifact name and type to report #978

merged 3 commits into from
Nov 25, 2023

Conversation

georgwolf
Copy link
Contributor

The warnings-ng reports for Grype are missing important information, namely the vulnerable artifact's name and its type. This makes it difficult to see the affected packages when reviewing the report as the file path often doesn't contain the artifact name (e.g. for RPMs in a Docker image the file path reported by Grype is just "/var/lib/rpm/Packages"; only the artifact name reveals the actual RPM name like curl etc.).

This PR adds the artifact name from the Grype JSON report as package name and changes the report's category to the artifact type (instead of duplicating the severity information there). I chose package over module name as the package is visible in the warnings-ng issue list while the module isn't.

Testing done

The existing JUnit test for the GrypeParser has been adjusted to also verify the package name and the changed category.
Note that due to the added package name the report in test method assertThatVulnerabilityWithoutDescriptionCanBeParsed doesn't contain duplicates any more.

Submitter checklist

Edit tasklist title
Beta Give feedback Tasklist Submitter checklist, more options

Delete tasklist

Delete tasklist block?
Are you sure? All relationships in this tasklist will be removed.
  1. Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
    Options
  2. Ensure that the pull request title represents the desired changelog entry
    Options
  3. Please describe what you did
    Options
  4. Link to relevant issues in GitHub or Jira
    Options
  5. Link to relevant pull requests, esp. upstream and downstream changes
    Options
  6. Ensure you have provided tests - that demonstrates feature works or fixes the issue
    Options

@uhafner uhafner added the enhancement Enhancement of existing functionality label Nov 23, 2023
uhafner
uhafner approved these changes Nov 23, 2023
View reviewed changes
src/main/java/edu/hm/hafner/analysis/parser/GrypeParser.java

return issueBuilder.setFileName(fileName)
.setCategory(vuln.getString(SEVERITY_TAG))
.setPackageName(packageName)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually module names are shown as well in the UI (if they are not unique), but I am fine with using package names here.

@codecov Codecov
Copy link

codecov bot commented Nov 23, 2023
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (cc49445) 93.08% compared to head (86ead6d) 93.09%.

Additional details and impacted files 
@@            Coverage Diff            @@
##               main     #978   +/-   ##
=========================================
  Coverage     93.08%   93.09%           
- Complexity     2381     2382    +1     
=========================================
  Files           347      347           
  Lines          6598     6603    +5     
  Branches        686      687    +1     
=========================================
+ Hits           6142     6147    +5     
  Misses          256      256           
  Partials        200      200

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@uhafner uhafner merged commit 73ca3f4 into jenkinsci:main Nov 25, 2023
27 checks passed
@uhafner
Copy link
Member

uhafner commented Nov 25, 2023

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uhafner uhafner uhafner approved these changes

Assignees

@uhafner uhafner

Labels
enhancement Enhancement of existing functionality
Projects
None yet
Milestone
No milestone
2 participants
@georgwolf @uhafner