-
Notifications
You must be signed in to change notification settings - Fork 602
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Share which file is vulnerable when reporting an intra-file vulnerability in the default table output #1199
Labels
enhancement
New feature or request
Comments
jneate
added a commit
to jneate/grype
that referenced
this issue
May 6, 2023
Signed-off-by: James Neate <[email protected]>
jneate
added a commit
to jneate/grype
that referenced
this issue
May 28, 2023
Signed-off-by: James Neate <[email protected]>
DEVELOPER NOTES: After some internal discussion with the team, we think implementing this feature would be good but an implementation should consider a few things:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to be added:
In the default output format, for image scans (or really, any scan of a target that contains multiple files), when reporting a vulnerability for a dependency inside a file (e.g. a module compiled into a Go binary), show which file has the vulnerability.
Why is this needed:
Without this feature, the output row for these kinds of vulnerabilities is not very helpful.
If I'm trying to ensure my image has as few vulnerabilities as possible, and I'm using Grype to help me, I want to get to the point where I can do something about every given vulnerability as quickly as possible. Any factor that gets in my way of doing this is noticeable friction added to my process of getting the job done.
For a distro package, (e.g.
apk
type), remediation is obvious. From anywhere in the image (or Dockerfile, etc.) I can runapk add -u pkgName
and I'm done.But for cases like Go binaries, JARs, etc. — there is a missing layer of hierarchy in Grype's table output. I see the vulnerable package, and I know what image I scanned, but I'm missing a crucial piece of information: the file itself. So I need to re-run the scan with a more helpful output.
Here's an example:
Which Go binary (or binaries, plural?) has the vulnerability? I have no idea. In the very best case, the image only has a single Go binary, and I have this knowledge in advance. But in all other cases, this Grype scan brought me no closer to a solution for those vulnerabilities.
Additional context:
The "default" piece of this ask might be more important than one would think. In practice, for better or for worse, I've seen lots of people sharing screenshots (or console copy/paste like the above example) of the table view. Of course, in some cases, folks are persisting a more machine-readable format, like the native JSON output or SARIF. But still, lots of times this isn't the case. And it would be great for folks on the receiving end of these snippets to more readily understand what Grype found.
cc: @kzantow
The text was updated successfully, but these errors were encountered: