From cf82ee06db2ee37fe1ef4330ffd0dcaf960eed29 Mon Sep 17 00:00:00 2001
From: Jeff DeWitt <jdewitt@documentcrunch.com>
Date: Thu, 29 Feb 2024 11:40:19 -0500
Subject: [PATCH] fix: empty enhanced scans look like basic scans

---
 index.js | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/index.js b/index.js
index 2f8d0c9..0cbb8f5 100644
--- a/index.js
+++ b/index.js
@@ -165,6 +165,26 @@ function isEnhancedScan(findings) {
   return 'enhancedFindings' in findings.imageScanFindings;
 }
 
+/**
+ * @param {AWS.ECR.ImageScanFinding[]} findings
+ * @returns {AWS.ECR.ImageScanFinding.EnhancedFindings[]}
+ * @description Get enhanced scan findings
+ * @throws {Error} If the scan is not enhanced
+ */
+function getEnhancedScanFindings(findings) {
+  // If there are no vulns found, ECR will respond with an empty array here: findings.imageScanFindings.findings
+  // This implies that the scan was a basic scan, but it's not, it's just empty so we need to check for empty findings as well.
+  if (findings.imageScanFindings.findings && findings.imageScanFindings.findings.length == 0){
+    return [];
+  }
+  
+  if (isEnhancedScan(findings)) {
+    return findings.imageScanFindings.enhancedFindings;
+  } else {
+    throw new Error(`Basic scan not supported. Please enable enhanced scanning in ECR.`)
+  }
+}
+
 const main = async () => {
   core.debug('Entering main')
   const repository = core.getInput('repository', { required: true })
@@ -195,11 +215,7 @@ const main = async () => {
   core.debug(`Findings: ${JSON.stringify(findings)}`)
   let findingsList = [];
   if (findings) {
-    if (isEnhancedScan(findings)) {
-      findingsList = findings.imageScanFindings.enhancedFindings;
-    } else {
-      throw new Error(`Basic scan not supported. Please enable enhanced scanning in ECR.`)
-    }
+    findingsList = getEnhancedScanFindings(findings);
     status = findings.imageScanStatus.status
     console.log(`A scan for this image was already requested, the scan's status is ${status}`)
     if (status == 'FAILED') {