feat: add only-fixed option (#208)

Signed-off-by: Luca Comellini <[email protected]>

.gitignore

@@ -121,3 +121,4 @@ typings/
 # Action temporary files
 results.sarif
 vulnerabilities.json
+results.json

README.md

@@ -128,6 +128,7 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
 | `fail-build`        | Fail the build if a vulnerability is found with a higher severity. That severity defaults to `medium` and can be set with `severity-cutoff`.                                                                                                                     | `true`        |
 | `output-format`     | Set the output parameter after successful action execution. Valid choices are `json`, `sarif`, and `table`, where `table` output will print to the console instead of generating a file.                                                                         | `sarif`       |
 | `severity-cutoff`   | Optionally specify the minimum vulnerability severity to trigger a failure. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium". | `medium`      |
+| `only-fixed`        | Specify whether to only report vulnerabilities that have a fix available.                                                                                                                                                                                        | `false`       |
 
 ### Action Outputs
 

action.yml

@@ -25,6 +25,10 @@ inputs:
     description: 'Optionally specify the minimum vulnerability severity to trigger an "error" level ACS result.  Valid choices are "negligible", "low", "medium", "high" and "critical".  Any vulnerability with a severity less than this value will lead to a "warning" result.  Default is "medium".'
     required: false
     default: "medium"
+  only-fixed:
+    description: "Specify whether to only report vulnerabilities that have a fix available.  Default is false."
+    required: false
+    default: "false"
 outputs:
   sarif:
     description: "Path to a SARIF report file for the image"

dist/index.js

@@ -103,10 +103,12 @@ async function run() {
     const failBuild = core.getInput("fail-build") || "true";
     const outputFormat = core.getInput("output-format") || "sarif";
     const severityCutoff = core.getInput("severity-cutoff") || "medium";
+    const onlyFixed = core.getInput("only-fixed") || "false";
     const out = await runScan({
       source,
       failBuild,
       severityCutoff,
+      onlyFixed,
       outputFormat,
     });
     Object.keys(out).map((key) => {
@@ -117,7 +119,7 @@ async function run() {
   }
 }
 
-async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
+async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFormat }) {
   const out = {};
 
   const env = {
@@ -147,6 +149,7 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
   }
 
   failBuild = failBuild.toLowerCase() === "true";
+  onlyFixed = onlyFixed.toLowerCase() === "true";
 
   cmdArgs.push("-o", outputFormat);
 
@@ -179,6 +182,7 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
   core.debug("Source: " + source);
   core.debug("Fail Build: " + failBuild);
   core.debug("Severity Cutoff: " + severityCutoff);
+  core.debug("Only Fixed: " + onlyFixed);
   core.debug("Output Format: " + outputFormat);
 
   core.debug("Creating options for GRYPE analyzer");
@@ -190,6 +194,9 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
     cmdArgs.push("--fail-on");
     cmdArgs.push(severityCutoff.toLowerCase());
   }
+  if (onlyFixed === true) {
+    cmdArgs.push("--only-fixed");
+  }
   cmdArgs.push(source);
 
   // This /dev/null writable stream is required so the entire Grype output

index.js

@@ -89,10 +89,12 @@ async function run() {
     const failBuild = core.getInput("fail-build") || "true";
     const outputFormat = core.getInput("output-format") || "sarif";
     const severityCutoff = core.getInput("severity-cutoff") || "medium";
+    const onlyFixed = core.getInput("only-fixed") || "false";
     const out = await runScan({
       source,
       failBuild,
       severityCutoff,
+      onlyFixed,
       outputFormat,
     });
     Object.keys(out).map((key) => {
@@ -103,7 +105,7 @@ async function run() {
   }
 }
 
-async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
+async function runScan({ source, failBuild, severityCutoff, onlyFixed, outputFormat }) {
   const out = {};
 
   const env = {
@@ -133,6 +135,7 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
   }
 
   failBuild = failBuild.toLowerCase() === "true";
+  onlyFixed = onlyFixed.toLowerCase() === "true";
 
   cmdArgs.push("-o", outputFormat);
 
@@ -165,6 +168,7 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
   core.debug("Source: " + source);
   core.debug("Fail Build: " + failBuild);
   core.debug("Severity Cutoff: " + severityCutoff);
+  core.debug("Only Fixed: " + onlyFixed);
   core.debug("Output Format: " + outputFormat);
 
   core.debug("Creating options for GRYPE analyzer");
@@ -176,6 +180,9 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
     cmdArgs.push("--fail-on");
     cmdArgs.push(severityCutoff.toLowerCase());
   }
+  if (onlyFixed === true) {
+    cmdArgs.push("--only-fixed");
+  }
   cmdArgs.push(source);
 
   // This /dev/null writable stream is required so the entire Grype output

tests/grype_command.test.js

@@ -31,6 +31,7 @@ describe("Grype command", () => {
       outputFormat: "sarif",
       severityCutoff: "high",
       version: "0.6.0",
+      onlyFixed: "false",
     });
     expect(cmd).toBe("grype -o sarif --fail-on high dir:.");
   });
@@ -42,6 +43,7 @@ describe("Grype command", () => {
       outputFormat: "json",
       severityCutoff: "low",
       version: "0.6.0",
+      onlyFixed: "false",
     });
     expect(cmd).toBe("grype -o json --fail-on low asdf");
   });

tests/sarif_output.test.js

@@ -19,6 +19,7 @@ const testSource = async (source, vulnerabilities) => {
     failBuild: "false",
     outputFormat: "sarif",
     severityCutoff: "medium",
+    onlyFixed: "false",
   });
 
   // expect to get sarif output