GrypeParser: added artifact name and type to report #978
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The warnings-ng reports for Grype are missing important information, namely the vulnerable artifact's name and its type. This makes it difficult to see the affected packages when reviewing the report as the file path often doesn't contain the artifact name (e.g. for RPMs in a Docker image the file path reported by Grype is just "/var/lib/rpm/Packages"; only the artifact name reveals the actual RPM name like curl etc.).
This PR adds the artifact name from the Grype JSON report as package name and changes the report's category to the artifact type (instead of duplicating the severity information there). I chose package over module name as the package is visible in the warnings-ng issue list while the module isn't.
Testing done
The existing JUnit test for the GrypeParser has been adjusted to also verify the package name and the changed category.
Note that due to the added package name the report in test method
assertThatVulnerabilityWithoutDescriptionCanBeParsed
doesn't contain duplicates any more.Submitter checklist