diff --git a/grype/presenter/internal/test_helpers.go b/grype/presenter/internal/test_helpers.go index 820f49634dd..8516c050541 100644 --- a/grype/presenter/internal/test_helpers.go +++ b/grype/presenter/internal/test_helpers.go @@ -38,7 +38,7 @@ func GenerateAnalysis(t *testing.T, scheme SyftSource) (*sbom.SBOM, match.Matche grypePackages := pkg.FromCollection(s.Artifacts.Packages, pkg.SynthesisConfig{}) - matches := generateMatches(t, grypePackages[0], grypePackages[1]) + matches := generateMatches(t, grypePackages[0], grypePackages[1], grypePackages[2]) context := generateContext(t, scheme) return s, matches, grypePackages, context, models.NewMetadataMock(), nil, nil @@ -55,7 +55,7 @@ func GenerateAnalysisWithIgnoredMatches(t *testing.T, scheme SyftSource) (match. grypePackages := pkg.FromCollection(s.Artifacts.Packages, pkg.SynthesisConfig{}) - matches := generateMatches(t, grypePackages[0], grypePackages[1]) + matches := generateMatches(t, grypePackages[0], grypePackages[1], grypePackages[2]) ignoredMatches := generateIgnoredMatches(t, grypePackages[1]) context := generateContext(t, scheme) @@ -75,7 +75,7 @@ func Redact(s []byte) []byte { return s } -func generateMatches(t *testing.T, p1, p2 pkg.Package) match.Matches { +func generateMatches(t *testing.T, p1, p2, p3 pkg.Package) match.Matches { t.Helper() matches := []match.Match{ @@ -120,6 +120,21 @@ func generateMatches(t *testing.T, p1, p2 pkg.Package) match.Matches { SearchedBy: map[string]interface{}{ "cpe": "somecpe", }, + Found: map[string]interface{}{"constraint": "somecpe"}, + }, + }, + }, + { + Vulnerability: vulnerability.Vulnerability{ + ID: "CVE-1999-0003", + Namespace: "source-3", + }, + Package: p3, + Details: []match.Detail{ + { + Type: match.ExactIndirectMatch, + Matcher: match.JavascriptMatcher, + SearchedBy: map[string]interface{}{"cpe": "somecpe"}, Found: map[string]interface{}{ "constraint": "somecpe", }, @@ -218,6 +233,7 @@ func generateIgnoredMatches(t *testing.T, p pkg.Package) []match.IgnoredMatch { } } +//nolint:funlen func generatePackages(t *testing.T) []syftPkg.Package { t.Helper() epoch := 2 @@ -265,6 +281,27 @@ func generatePackages(t *testing.T) []syftPkg.Package { syftPkg.NewLicense("Apache-2.0"), ), }, + { + Name: "package-3", + Version: "3.3.3", + Type: syftPkg.NpmPkg, + Locations: file.NewLocationSet(file.NewVirtualLocation("/foo/bar/somefile-3.txt", "somefile-3.txt")), + CPEs: []cpe.CPE{ + { + Attributes: cpe.Attributes{ + Part: "a", + Vendor: "anchore", + Product: "engine", + Version: "3.3.3", + Language: "python", + }, + }, + }, + Licenses: syftPkg.NewLicenseSet( + syftPkg.NewLicense("MIT"), + syftPkg.NewLicense("Apache-2.0"), + ), + }, } for i := range pkgs { diff --git a/grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden b/grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden index a318f72fc5d..e904027e52b 100644 --- a/grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden +++ b/grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden @@ -127,6 +127,69 @@ "purl": "", "upstreams": [] } + }, + { + "vulnerability": { + "id": "CVE-1999-0003", + "dataSource": "", + "severity": "High", + "urls": [], + "description": "1999-03 description", + "cvss": [ + { + "version": "3.0", + "vector": "vector", + "metrics": { + "baseScore": 1, + "exploitabilityScore": 2, + "impactScore": 3 + }, + "vendorMetadata": { + "BaseSeverity": "Low", + "Status": "verified" + } + } + ], + "fix": { + "versions": [], + "state": "" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "javascript-matcher", + "searchedBy": { + "cpe": "somecpe" + }, + "found": { + "constraint": "somecpe" + } + } + ], + "artifact": { + "id": "f45d1ab14d63730d", + "name": "package-3", + "version": "3.3.3", + "type": "npm", + "locations": [ + { + "path": "/foo/bar/somefile-3.txt" + } + ], + "language": "", + "licenses": [ + "MIT", + "Apache-2.0" + ], + "cpes": [ + "cpe:2.3:a:anchore:engine:3.3.3:*:*:python:*:*:*:*" + ], + "purl": "", + "upstreams": [] + } } ], "source": { diff --git a/grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden b/grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden index 61e53cc15ec..31ff3025c0b 100644 --- a/grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden +++ b/grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden @@ -127,6 +127,69 @@ "purl": "", "upstreams": [] } + }, + { + "vulnerability": { + "id": "CVE-1999-0003", + "dataSource": "", + "severity": "High", + "urls": [], + "description": "1999-03 description", + "cvss": [ + { + "version": "3.0", + "vector": "vector", + "metrics": { + "baseScore": 1, + "exploitabilityScore": 2, + "impactScore": 3 + }, + "vendorMetadata": { + "BaseSeverity": "Low", + "Status": "verified" + } + } + ], + "fix": { + "versions": [], + "state": "" + }, + "advisories": [] + }, + "relatedVulnerabilities": [], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "javascript-matcher", + "searchedBy": { + "cpe": "somecpe" + }, + "found": { + "constraint": "somecpe" + } + } + ], + "artifact": { + "id": "f45d1ab14d63730d", + "name": "package-3", + "version": "3.3.3", + "type": "npm", + "locations": [ + { + "path": "/foo/bar/somefile-3.txt" + } + ], + "language": "", + "licenses": [ + "MIT", + "Apache-2.0" + ], + "cpes": [ + "cpe:2.3:a:anchore:engine:3.3.3:*:*:python:*:*:*:*" + ], + "purl": "", + "upstreams": [] + } } ], "source": { diff --git a/grype/presenter/models/document_test.go b/grype/presenter/models/document_test.go index 9c9836177bc..0115bdf9a09 100644 --- a/grype/presenter/models/document_test.go +++ b/grype/presenter/models/document_test.go @@ -31,14 +31,21 @@ func TestPackagesAreSorted(t *testing.T) { Type: syftPkg.DebPkg, } + var pkg3 = pkg.Package{ + ID: "package-3-id", + Name: "package-3", + Version: "3.3.3", + Type: syftPkg.NpmPkg, + } + var match1 = match.Match{ Vulnerability: vulnerability.Vulnerability{ ID: "CVE-1999-0003", }, - Package: pkg1, + Package: pkg3, Details: match.Details{ { - Type: match.ExactDirectMatch, + Type: match.ExactIndirectMatch, }, }, } @@ -47,7 +54,7 @@ func TestPackagesAreSorted(t *testing.T) { Vulnerability: vulnerability.Vulnerability{ ID: "CVE-1999-0002", }, - Package: pkg1, + Package: pkg2, Details: match.Details{ { Type: match.ExactIndirectMatch, @@ -70,7 +77,7 @@ func TestPackagesAreSorted(t *testing.T) { matches := match.NewMatches() matches.Add(match1, match2, match3) - packages := []pkg.Package{pkg1, pkg2} + packages := []pkg.Package{pkg1, pkg2, pkg3} ctx := pkg.Context{ Source: &syftSource.Description{ diff --git a/grype/presenter/models/metadata_mock.go b/grype/presenter/models/metadata_mock.go index cade2230f02..b9728bad2df 100644 --- a/grype/presenter/models/metadata_mock.go +++ b/grype/presenter/models/metadata_mock.go @@ -15,6 +15,8 @@ type MockVendorMetadata struct { } // NewMetadataMock returns a new instance of MetadataMock. +// +//nolint:funlen func NewMetadataMock() *MetadataMock { return &MetadataMock{ store: map[string]map[string]vulnerability.Metadata{ @@ -55,9 +57,24 @@ func NewMetadataMock() *MetadataMock { }, }, "CVE-1999-0003": { - "source-1": { + "source-3": { Description: "1999-03 description", Severity: "High", + Cvss: []vulnerability.Cvss{ + { + Metrics: vulnerability.NewCvssMetrics( + 1, + 2, + 3, + ), + Vector: "vector", + Version: "3.0", + VendorMetadata: MockVendorMetadata{ + BaseSeverity: "Low", + Status: "verified", + }, + }, + }, }, }, "CVE-1999-0004": { diff --git a/grype/presenter/sarif/presenter_test.go b/grype/presenter/sarif/presenter_test.go index e6a14fc1567..8f8c345efcb 100644 --- a/grype/presenter/sarif/presenter_test.go +++ b/grype/presenter/sarif/presenter_test.go @@ -221,6 +221,7 @@ func TestToSarifReport(t *testing.T) { locations: map[string]string{ "CVE-1999-0001-package-1": "/some/path/somefile-1.txt", "CVE-1999-0002-package-2": "/some/path/somefile-2.txt", + "CVE-1999-0003-package-3": "/some/path/somefile-3.txt", }, }, { @@ -229,6 +230,7 @@ func TestToSarifReport(t *testing.T) { locations: map[string]string{ "CVE-1999-0001-package-1": "image/somefile-1.txt", "CVE-1999-0002-package-2": "image/somefile-2.txt", + "CVE-1999-0003-package-3": "image/somefile-3.txt", }, }, } @@ -260,11 +262,12 @@ func TestToSarifReport(t *testing.T) { // Sorted by vulnID, pkg name, ... run := report.Runs[0] - assert.Len(t, run.Tool.Driver.Rules, 2) + assert.Len(t, run.Tool.Driver.Rules, 3) assert.Equal(t, "CVE-1999-0001-package-1", run.Tool.Driver.Rules[0].ID) assert.Equal(t, "CVE-1999-0002-package-2", run.Tool.Driver.Rules[1].ID) + assert.Equal(t, "CVE-1999-0003-package-3", run.Tool.Driver.Rules[2].ID) - assert.Len(t, run.Results, 2) + assert.Len(t, run.Results, 3) result := run.Results[0] assert.Equal(t, "CVE-1999-0001-package-1", *result.RuleID) assert.Len(t, result.Locations, 1) @@ -284,6 +287,16 @@ func TestToSarifReport(t *testing.T) { t.Fatalf("no expected location for %s", *result.RuleID) } assert.Equal(t, expectedLocation, *location.PhysicalLocation.ArtifactLocation.URI) + + result = run.Results[2] + assert.Equal(t, "CVE-1999-0003-package-3", *result.RuleID) + assert.Len(t, result.Locations, 1) + location = result.Locations[0] + expectedLocation, ok = tc.locations[*result.RuleID] + if !ok { + t.Fatalf("no expected location for %s", *result.RuleID) + } + assert.Equal(t, expectedLocation, *location.PhysicalLocation.ArtifactLocation.URI) }) } diff --git a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_directory.golden b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_directory.golden index b76b533733b..63640a44f82 100644 --- a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_directory.golden +++ b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_directory.golden @@ -44,6 +44,24 @@ "properties": { "security-severity": "1.0" } + }, + { + "id": "CVE-1999-0003-package-3", + "name": "JavascriptMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-1999-0003 high vulnerability for package-3 package" + }, + "fullDescription": { + "text": "1999-03 description" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-1999-0003\nSeverity: high\nPackage: package-3\nVersion: 3.3.3\nFix Version: \nType: npm\nLocation: /some/path/somefile-3.txt\nData Namespace: source-3\nLink: CVE-1999-0003", + "markdown": "**Vulnerability CVE-1999-0003**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | package-3 | 3.3.3 | | npm | /some/path/somefile-3.txt | source-3 | CVE-1999-0003 |\n" + }, + "properties": { + "security-severity": "1.0" + } } ] } @@ -90,6 +108,27 @@ } } ] + }, + { + "ruleId": "CVE-1999-0003-package-3", + "message": { + "text": "The path /some/path/somefile-3.txt reports package-3 at version 3.3.3 which would result in a vulnerable (npm) package installed" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "/some/path/somefile-3.txt" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ] } ] } diff --git a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_image.golden b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_image.golden index da0565640f0..eee72df5c38 100644 --- a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_image.golden +++ b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_image.golden @@ -44,6 +44,24 @@ "properties": { "security-severity": "1.0" } + }, + { + "id": "CVE-1999-0003-package-3", + "name": "JavascriptMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-1999-0003 high vulnerability for package-3 package" + }, + "fullDescription": { + "text": "1999-03 description" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-1999-0003\nSeverity: high\nPackage: package-3\nVersion: 3.3.3\nFix Version: \nType: npm\nLocation: somefile-3.txt\nData Namespace: source-3\nLink: CVE-1999-0003", + "markdown": "**Vulnerability CVE-1999-0003**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | package-3 | 3.3.3 | | npm | somefile-3.txt | source-3 | CVE-1999-0003 |\n" + }, + "properties": { + "security-severity": "1.0" + } } ] } @@ -102,6 +120,33 @@ ] } ] + }, + { + "ruleId": "CVE-1999-0003-package-3", + "message": { + "text": "The path somefile-3.txt reports package-3 at version 3.3.3 which is a vulnerable (npm) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image/somefile-3.txt" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/foo/bar/somefile-3.txt", + "fullyQualifiedName": "user-input@:/somefile-3.txt" + } + ] + } + ] } ] } diff --git a/grype/presenter/table/__snapshots__/presenter_test.snap b/grype/presenter/table/__snapshots__/presenter_test.snap index b063a9cee46..08e20f5270b 100755 --- a/grype/presenter/table/__snapshots__/presenter_test.snap +++ b/grype/presenter/table/__snapshots__/presenter_test.snap @@ -1,18 +1,21 @@ [TestTablePresenter/no_color - 1] -NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY -package-1 1.1.1 the-next-version rpm CVE-1999-0001 Low -package-2 2.2.2 deb CVE-1999-0002 Critical +NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY LOCATION +package-1 1.1.1 the-next-version rpm CVE-1999-0001 Low +package-2 2.2.2 deb CVE-1999-0002 Critical +package-3 3.3.3 npm CVE-1999-0003 High /foo/bar/somefile-3.txt --- [TestTablePresenter/with_color - 1] -NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY -package-1 1.1.1 the-next-version rpm CVE-1999-0001 Low -package-2 2.2.2 deb CVE-1999-0002 Critical -NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY -package-1 1.1.1 the-next-version rpm CVE-1999-0001 Low -package-2 2.2.2 deb CVE-1999-0002 Critical +NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY LOCATION +package-1 1.1.1 the-next-version rpm CVE-1999-0001 Low +package-2 2.2.2 deb CVE-1999-0002 Critical +package-3 3.3.3 npm CVE-1999-0003 High /foo/bar/somefile-3.txt +NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY LOCATION +package-1 1.1.1 the-next-version rpm CVE-1999-0001 Low +package-2 2.2.2 deb CVE-1999-0002 Critical +package-3 3.3.3 npm CVE-1999-0003 High /foo/bar/somefile-3.txt --- @@ -22,18 +25,20 @@ No vulnerabilities found --- [TestHidesIgnoredMatches - 1] -NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY -package-1 1.1.1 the-next-version rpm CVE-1999-0001 Low -package-2 2.2.2 deb CVE-1999-0002 Critical +NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY LOCATION +package-1 1.1.1 the-next-version rpm CVE-1999-0001 Low +package-2 2.2.2 deb CVE-1999-0002 Critical +package-3 3.3.3 npm CVE-1999-0003 High /foo/bar/somefile-3.txt --- [TestDisplaysIgnoredMatches - 1] -NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY -package-1 1.1.1 the-next-version rpm CVE-1999-0001 Low -package-2 2.2.2 deb CVE-1999-0002 Critical -package-2 2.2.2 deb CVE-1999-0004 Critical (suppressed by VEX) -package-2 2.2.2 deb CVE-1999-0002 Critical (suppressed) -package-2 2.2.2 deb CVE-1999-0001 Low (suppressed) +NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY LOCATION +package-1 1.1.1 the-next-version rpm CVE-1999-0001 Low +package-2 2.2.2 deb CVE-1999-0002 Critical +package-2 2.2.2 deb CVE-1999-0004 Critical (suppressed by VEX) +package-2 2.2.2 deb CVE-1999-0002 Critical (suppressed) +package-2 2.2.2 deb CVE-1999-0001 Low (suppressed) +package-3 3.3.3 npm CVE-1999-0003 High /foo/bar/somefile-3.txt --- diff --git a/grype/presenter/table/presenter.go b/grype/presenter/table/presenter.go index b5ba456d49a..122725b6b5e 100644 --- a/grype/presenter/table/presenter.go +++ b/grype/presenter/table/presenter.go @@ -14,6 +14,7 @@ import ( "github.com/anchore/grype/grype/pkg" "github.com/anchore/grype/grype/presenter/models" "github.com/anchore/grype/grype/vulnerability" + syftPkg "github.com/anchore/syft/syft/pkg" ) const ( @@ -31,6 +32,13 @@ type Presenter struct { withColor bool } +// Set the package type to true to not display the location information for that type +var suppressLocation map[syftPkg.Type]bool = map[syftPkg.Type]bool{ + syftPkg.ApkPkg: true, + syftPkg.DebPkg: true, + syftPkg.RpmPkg: true, +} + // NewPresenter is a *Presenter constructor func NewPresenter(pb models.PresenterConfig, showSuppressed bool) *Presenter { return &Presenter{ @@ -47,7 +55,7 @@ func NewPresenter(pb models.PresenterConfig, showSuppressed bool) *Presenter { func (pres *Presenter) Present(output io.Writer) error { rows := make([][]string, 0) - columns := []string{"Name", "Installed", "Fixed-In", "Type", "Vulnerability", "Severity"} + columns := []string{"Name", "Installed", "Fixed-In", "Type", "Vulnerability", "Severity", "Location"} // Generate rows for matching vulnerabilities for m := range pres.results.Enumerate() { row, err := createRow(m, pres.metadataProvider, "") @@ -187,7 +195,12 @@ func createRow(m match.Match, metadataProvider vulnerability.MetadataProvider, s fixVersion = "" } - return []string{m.Package.Name, m.Package.Version, fixVersion, string(m.Package.Type), m.Vulnerability.ID, severity}, nil + var locationPaths string + if !suppressLocation[m.Package.Type] { + locationPaths = strings.Join(m.Package.Locations.CoordinateSet().Paths(), ",") + } + + return []string{m.Package.Name, m.Package.Version, fixVersion, string(m.Package.Type), m.Vulnerability.ID, severity, locationPaths}, nil } func getSeverityColor(severity string) tablewriter.Colors { diff --git a/grype/presenter/table/presenter_test.go b/grype/presenter/table/presenter_test.go index 948c7c1fc30..0061bf00a71 100644 --- a/grype/presenter/table/presenter_test.go +++ b/grype/presenter/table/presenter_test.go @@ -2,6 +2,7 @@ package table import ( "bytes" + "strings" "testing" "github.com/gkampitakis/go-snaps/snaps" @@ -14,30 +15,36 @@ import ( "github.com/anchore/grype/grype/pkg" "github.com/anchore/grype/grype/presenter/internal" "github.com/anchore/grype/grype/presenter/models" - "github.com/anchore/grype/grype/vulnerability" syftPkg "github.com/anchore/syft/syft/pkg" ) func TestCreateRow(t *testing.T) { - pkg1 := pkg.Package{ - ID: "package-1-id", - Name: "package-1", - Version: "1.0.1", - Type: syftPkg.DebPkg, + + _, matches, _, _, _, _, _ := internal.GenerateAnalysis(t, internal.ImageSource) + var match1, match2, match3 match.Match + + for m := range matches.Enumerate() { + switch m.Vulnerability.ID { + case "CVE-1999-0001": + match1 = m + case "CVE-1999-0002": + match2 = m + case "CVE-1999-0003": + match3 = m + } } - match1 := match.Match{ - Vulnerability: vulnerability.Vulnerability{ - ID: "CVE-1999-0001", - Namespace: "source-1", - }, - Package: pkg1, - Details: []match.Detail{ - { - Type: match.ExactDirectMatch, - Matcher: match.DpkgMatcher, - }, + + match4 := match.Match{ + Vulnerability: match2.Vulnerability, + Details: match2.Details, + Package: pkg.Package{ + ID: match2.Package.ID, + Name: match2.Package.Name, + Version: match2.Package.Version, + Type: syftPkg.ApkPkg, }, } + cases := []struct { name string match match.Match @@ -50,14 +57,42 @@ func TestCreateRow(t *testing.T) { match: match1, severitySuffix: "", expectedErr: nil, - expectedRow: []string{match1.Package.Name, match1.Package.Version, "", string(match1.Package.Type), match1.Vulnerability.ID, "Low"}, + expectedRow: []string{match1.Package.Name, match1.Package.Version, "the-next-version", string(match1.Package.Type), match1.Vulnerability.ID, "Low", ""}, }, { name: "create row for suppressed vulnerability", match: match1, severitySuffix: appendSuppressed, expectedErr: nil, - expectedRow: []string{match1.Package.Name, match1.Package.Version, "", string(match1.Package.Type), match1.Vulnerability.ID, "Low (suppressed)"}, + expectedRow: []string{match1.Package.Name, match1.Package.Version, "the-next-version", string(match1.Package.Type), match1.Vulnerability.ID, "Low (suppressed)", ""}, + }, + { + name: "create row for suppressed location (rpm)", + match: match1, + severitySuffix: "", + expectedErr: nil, + expectedRow: []string{match1.Package.Name, match1.Package.Version, "the-next-version", string(match1.Package.Type), match1.Vulnerability.ID, "Low", ""}, + }, + { + name: "create row for suppressed location (deb)", + match: match2, + severitySuffix: "", + expectedErr: nil, + expectedRow: []string{match2.Package.Name, match2.Package.Version, "", string(match2.Package.Type), match2.Vulnerability.ID, "Critical", ""}, + }, + { + name: "create row for location", + match: match3, + severitySuffix: "", + expectedErr: nil, + expectedRow: []string{match3.Package.Name, match3.Package.Version, "", string(match3.Package.Type), match3.Vulnerability.ID, "High", strings.Join(match3.Package.Locations.CoordinateSet().Paths(), ", ")}, + }, + { + name: "create row for suppressed location (apk)", + match: match4, + severitySuffix: "", + expectedErr: nil, + expectedRow: []string{match4.Package.Name, match4.Package.Version, "", string(match4.Package.Type), match4.Vulnerability.ID, "Critical", ""}, }, } diff --git a/grype/presenter/template/test-fixtures/snapshot/TestPresenter_Present.golden b/grype/presenter/template/test-fixtures/snapshot/TestPresenter_Present.golden index 0ac37fa30dc..bff46848180 100644 --- a/grype/presenter/template/test-fixtures/snapshot/TestPresenter_Present.golden +++ b/grype/presenter/template/test-fixtures/snapshot/TestPresenter_Present.golden @@ -9,4 +9,9 @@ Identified distro as centos version 8.0. Package: package-2 version 2.2.2 (deb) CPEs: ["cpe:2.3:a:anchore:engine:2.2.2:*:*:python:*:*:*:*"] Matched by: dpkg-matcher + Vulnerability: CVE-1999-0003 + Severity: High + Package: package-3 version 3.3.3 (npm) + CPEs: ["cpe:2.3:a:anchore:engine:3.3.3:*:*:python:*:*:*:*"] + Matched by: javascript-matcher