diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index 80c1133296f..cbd75b6d0c9 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -2607,12 +2607,21 @@ Scanned /fixtures/maven-transitive/pom.xml file and found 3 packages [TestRun_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file - 1] Scanning image ../../internal/image/fixtures/test-alpine.tar -+--------------------------------+------+--------------+---------+-----------+---------------------------------------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | -+--------------------------------+------+--------------+---------+-----------+---------------------------------------------------------------------+ -| https://osv.dev/CVE-2018-25032 | 7.5 | Alpine:v3.18 | zlib | 1.2.11-r1 | ../../internal/image/fixtures/test-alpine.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2022-37434 | 9.8 | Alpine:v3.18 | zlib | 1.2.11-r1 | ../../internal/image/fixtures/test-alpine.tar:/lib/apk/db/installed | -+--------------------------------+------+--------------+---------+-----------+---------------------------------------------------------------------+ +Total 1 packages affected by 2 vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystems. +2 vulnerabilities have fixes available. + +Alpine:v3.18 ++----------------------------------------------------------+ +| Source:docker:../../internal/image/fixtures/test-alpine. | +| tar:/lib/apk/db/installed | ++---------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++---------+-------------------+---------------+------------+ +| zlib | 1.2.11-r1 | Fix Available | 2 | ++---------+-------------------+---------------+------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. +You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. --- @@ -2632,14 +2641,21 @@ failed to load image ./fixtures/oci-image/no-file-here.tar: open ./fixtures/oci- [TestRun_OCIImage/scanning_node_modules_using_npm_with_no_packages - 1] Scanning image ../../internal/image/fixtures/test-node_modules-npm-empty.tar -+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | -+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+ -| https://osv.dev/CVE-2023-42363 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-empty.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42364 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-empty.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42365 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-empty.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42366 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-empty.tar:/lib/apk/db/installed | -+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+ +Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems. +4 vulnerabilities have fixes available. + +Alpine:v3.19 ++----------------------------------------------------------+ +| Source:docker:../../internal/image/fixtures/test-node_mo | +| dules-npm-empty.tar:/lib/apk/db/installed | ++---------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++---------+-------------------+---------------+------------+ +| busybox | 1.36.1-r15 | Fix Available | 4 | ++---------+-------------------+---------------+------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. +You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. --- @@ -2649,17 +2665,31 @@ Scanning image ../../internal/image/fixtures/test-node_modules-npm-empty.tar [TestRun_OCIImage/scanning_node_modules_using_npm_with_some_packages - 1] Scanning image ../../internal/image/fixtures/test-node_modules-npm-full.tar -+-------------------------------------+------+--------------+----------+------------+-------------------------------------------------------------------------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | -+-------------------------------------+------+--------------+----------+------------+-------------------------------------------------------------------------------------------------------+ -| https://osv.dev/CVE-2023-42363 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-full.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42364 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-full.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42365 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-full.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42366 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-npm-full.tar:/lib/apk/db/installed | -| https://osv.dev/GHSA-38f5-ghc2-fcmv | 9.8 | npm | cryo | 0.0.6 | ../../internal/image/fixtures/test-node_modules-npm-full.tar:/usr/app/node_modules/.package-lock.json | -| https://osv.dev/GHSA-vh95-rmgr-6w4m | 9.8 | npm | minimist | 0.0.8 | ../../internal/image/fixtures/test-node_modules-npm-full.tar:/usr/app/node_modules/.package-lock.json | -| https://osv.dev/GHSA-xvch-5gv4-984h | | | | | | -+-------------------------------------+------+--------------+----------+------------+-------------------------------------------------------------------------------------------------------+ +Total 3 packages affected by 6 vulnerabilities (2 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems. +5 vulnerabilities have fixes available. + +npm ++--------------------------------------------------------------+ +| Source:docker:../../internal/image/fixtures/test-node_module | +| s-npm-full.tar:/usr/app/node_modules/.package-lock.json | ++----------+-------------------+------------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++----------+-------------------+------------------+------------+ +| cryo | 0.0.6 | No fix available | 1 | +| minimist | 0.0.8 | Fix Available | 1 | ++----------+-------------------+------------------+------------+ +Alpine:v3.19 ++----------------------------------------------------------+ +| Source:docker:../../internal/image/fixtures/test-node_mo | +| dules-npm-full.tar:/lib/apk/db/installed | ++---------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++---------+-------------------+---------------+------------+ +| busybox | 1.36.1-r15 | Fix Available | 4 | ++---------+-------------------+---------------+------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. +You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. --- @@ -2669,14 +2699,21 @@ Scanning image ../../internal/image/fixtures/test-node_modules-npm-full.tar [TestRun_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 1] Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar -+--------------------------------+------+--------------+---------+------------+--------------------------------------------------------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | -+--------------------------------+------+--------------+---------+------------+--------------------------------------------------------------------------------------+ -| https://osv.dev/CVE-2023-42363 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42364 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42365 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42366 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar:/lib/apk/db/installed | -+--------------------------------+------+--------------+---------+------------+--------------------------------------------------------------------------------------+ +Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems. +4 vulnerabilities have fixes available. + +Alpine:v3.19 ++----------------------------------------------------------+ +| Source:docker:../../internal/image/fixtures/test-node_mo | +| dules-pnpm-empty.tar:/lib/apk/db/installed | ++---------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++---------+-------------------+---------------+------------+ +| busybox | 1.36.1-r15 | Fix Available | 4 | ++---------+-------------------+---------------+------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. +You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. --- @@ -2686,14 +2723,21 @@ Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-empty.tar [TestRun_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 1] Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-full.tar -+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | -+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+ -| https://osv.dev/CVE-2023-42363 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-full.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42364 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-full.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42365 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-full.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42366 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-pnpm-full.tar:/lib/apk/db/installed | -+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+ +Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems. +4 vulnerabilities have fixes available. + +Alpine:v3.19 ++----------------------------------------------------------+ +| Source:docker:../../internal/image/fixtures/test-node_mo | +| dules-pnpm-full.tar:/lib/apk/db/installed | ++---------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++---------+-------------------+---------------+------------+ +| busybox | 1.36.1-r15 | Fix Available | 4 | ++---------+-------------------+---------------+------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. +You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. --- @@ -2703,14 +2747,21 @@ Scanning image ../../internal/image/fixtures/test-node_modules-pnpm-full.tar [TestRun_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 1] Scanning image ../../internal/image/fixtures/test-node_modules-yarn-empty.tar -+--------------------------------+------+--------------+---------+------------+--------------------------------------------------------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | -+--------------------------------+------+--------------+---------+------------+--------------------------------------------------------------------------------------+ -| https://osv.dev/CVE-2023-42363 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-empty.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42364 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-empty.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42365 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-empty.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42366 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-empty.tar:/lib/apk/db/installed | -+--------------------------------+------+--------------+---------+------------+--------------------------------------------------------------------------------------+ +Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems. +4 vulnerabilities have fixes available. + +Alpine:v3.19 ++----------------------------------------------------------+ +| Source:docker:../../internal/image/fixtures/test-node_mo | +| dules-yarn-empty.tar:/lib/apk/db/installed | ++---------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++---------+-------------------+---------------+------------+ +| busybox | 1.36.1-r15 | Fix Available | 4 | ++---------+-------------------+---------------+------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. +You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. --- @@ -2720,14 +2771,21 @@ Scanning image ../../internal/image/fixtures/test-node_modules-yarn-empty.tar [TestRun_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 1] Scanning image ../../internal/image/fixtures/test-node_modules-yarn-full.tar -+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | -+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+ -| https://osv.dev/CVE-2023-42363 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-full.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42364 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-full.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42365 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-full.tar:/lib/apk/db/installed | -| https://osv.dev/CVE-2023-42366 | 5.5 | Alpine:v3.19 | busybox | 1.36.1-r15 | ../../internal/image/fixtures/test-node_modules-yarn-full.tar:/lib/apk/db/installed | -+--------------------------------+------+--------------+---------+------------+-------------------------------------------------------------------------------------+ +Total 1 packages affected by 4 vulnerabilities (0 Critical, 0 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystems. +4 vulnerabilities have fixes available. + +Alpine:v3.19 ++----------------------------------------------------------+ +| Source:docker:../../internal/image/fixtures/test-node_mo | +| dules-yarn-full.tar:/lib/apk/db/installed | ++---------+-------------------+---------------+------------+ +| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | ++---------+-------------------+---------------+------------+ +| busybox | 1.36.1-r15 | Fix Available | 4 | ++---------+-------------------+---------------+------------+ + +For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner --format html --output results.html`. +You can also view the full vulnerability list in your terminal with: `osv-scanner --format vertical`. --- diff --git a/internal/output/__snapshots__/output_result_test.snap b/internal/output/__snapshots__/output_result_test.snap index e1b73185111..fdd3eec7e4b 100755 --- a/internal/output/__snapshots__/output_result_test.snap +++ b/internal/output/__snapshots__/output_result_test.snap @@ -256,9 +256,13 @@ "IsContainerScanning": false, "AllLayers": [], "VulnTypeCount": { - "All": 4, + "All": 6, "OS": 0, - "Project": 4, + "Project": 6, + "Uncalled": 0 + }, + "PackageTypeCount": { + "Called": 4, "Uncalled": 0 }, "VulnCount": { @@ -539,9 +543,13 @@ "IsContainerScanning": false, "AllLayers": [], "VulnTypeCount": { - "All": 4, + "All": 6, "OS": 0, - "Project": 4, + "Project": 6, + "Uncalled": 0 + }, + "PackageTypeCount": { + "Called": 4, "Uncalled": 0 }, "VulnCount": { @@ -814,6 +822,10 @@ "Project": 0, "Uncalled": 0 }, + "PackageTypeCount": { + "Called": 0, + "Uncalled": 0 + }, "VulnCount": { "CallAnalysisCount": { "Called": 0, @@ -1120,6 +1132,10 @@ "Project": 3, "Uncalled": 0 }, + "PackageTypeCount": { + "Called": 3, + "Uncalled": 0 + }, "VulnCount": { "CallAnalysisCount": { "Called": 3, @@ -1404,9 +1420,13 @@ "IsContainerScanning": false, "AllLayers": [], "VulnTypeCount": { - "All": 4, + "All": 6, "OS": 0, - "Project": 4, + "Project": 6, + "Uncalled": 0 + }, + "PackageTypeCount": { + "Called": 4, "Uncalled": 0 }, "VulnCount": { @@ -1694,9 +1714,13 @@ "IsContainerScanning": false, "AllLayers": [], "VulnTypeCount": { - "All": 4, + "All": 5, "OS": 0, - "Project": 4, + "Project": 5, + "Uncalled": 1 + }, + "PackageTypeCount": { + "Called": 4, "Uncalled": 1 }, "VulnCount": { @@ -1816,6 +1840,10 @@ "Project": 0, "Uncalled": 0 }, + "PackageTypeCount": { + "Called": 0, + "Uncalled": 0 + }, "VulnCount": { "CallAnalysisCount": { "Called": 0, @@ -1848,6 +1876,10 @@ "Project": 0, "Uncalled": 0 }, + "PackageTypeCount": { + "Called": 0, + "Uncalled": 0 + }, "VulnCount": { "CallAnalysisCount": { "Called": 0, @@ -1913,6 +1945,10 @@ "Project": 0, "Uncalled": 0 }, + "PackageTypeCount": { + "Called": 0, + "Uncalled": 0 + }, "VulnCount": { "CallAnalysisCount": { "Called": 0, @@ -2009,6 +2045,10 @@ "Project": 0, "Uncalled": 0 }, + "PackageTypeCount": { + "Called": 0, + "Uncalled": 0 + }, "VulnCount": { "CallAnalysisCount": { "Called": 0, @@ -2129,6 +2169,10 @@ "Project": 1, "Uncalled": 1 }, + "PackageTypeCount": { + "Called": 1, + "Uncalled": 1 + }, "VulnCount": { "CallAnalysisCount": { "Called": 1, @@ -2237,6 +2281,10 @@ "Project": 1, "Uncalled": 0 }, + "PackageTypeCount": { + "Called": 1, + "Uncalled": 0 + }, "VulnCount": { "CallAnalysisCount": { "Called": 1, @@ -2345,6 +2393,10 @@ "Project": 0, "Uncalled": 1 }, + "PackageTypeCount": { + "Called": 0, + "Uncalled": 1 + }, "VulnCount": { "CallAnalysisCount": { "Called": 0, @@ -2453,6 +2505,10 @@ "Project": 1, "Uncalled": 0 }, + "PackageTypeCount": { + "Called": 1, + "Uncalled": 0 + }, "VulnCount": { "CallAnalysisCount": { "Called": 1, @@ -2561,6 +2617,10 @@ "Project": 1, "Uncalled": 0 }, + "PackageTypeCount": { + "Called": 1, + "Uncalled": 0 + }, "VulnCount": { "CallAnalysisCount": { "Called": 1, @@ -2673,6 +2733,10 @@ "Project": 0, "Uncalled": 1 }, + "PackageTypeCount": { + "Called": 0, + "Uncalled": 1 + }, "VulnCount": { "CallAnalysisCount": { "Called": 0, @@ -2785,6 +2849,10 @@ "Project": 1, "Uncalled": 0 }, + "PackageTypeCount": { + "Called": 1, + "Uncalled": 0 + }, "VulnCount": { "CallAnalysisCount": { "Called": 1, @@ -2935,6 +3003,10 @@ "Project": 2, "Uncalled": 0 }, + "PackageTypeCount": { + "Called": 2, + "Uncalled": 0 + }, "VulnCount": { "CallAnalysisCount": { "Called": 2, @@ -3100,6 +3172,10 @@ "Project": 1, "Uncalled": 0 }, + "PackageTypeCount": { + "Called": 1, + "Uncalled": 0 + }, "VulnCount": { "CallAnalysisCount": { "Called": 1, @@ -3277,6 +3353,10 @@ "Project": 2, "Uncalled": 0 }, + "PackageTypeCount": { + "Called": 2, + "Uncalled": 0 + }, "VulnCount": { "CallAnalysisCount": { "Called": 2, diff --git a/internal/output/output_result.go b/internal/output/output_result.go index 6e50da19f0a..e56b8d6870f 100644 --- a/internal/output/output_result.go +++ b/internal/output/output_result.go @@ -20,6 +20,7 @@ type Result struct { IsContainerScanning bool AllLayers []LayerInfo VulnTypeCount VulnTypeCount + PackageTypeCount CallAnalysisCount VulnCount VulnCount } @@ -190,10 +191,12 @@ func buildResult(ecosystemMap map[string][]SourceResult, resultCount VulnCount) isContainerScanning = true } vulnTypeCount := getVulnTypeCount(ecosystemResults) + packageTypeCount := getPackageTypeCount(ecosystemResults) return Result{ Ecosystems: ecosystemResults, VulnTypeCount: vulnTypeCount, + PackageTypeCount: packageTypeCount, VulnCount: resultCount, IsContainerScanning: isContainerScanning, AllLayers: layers, @@ -512,11 +515,11 @@ func getVulnTypeCount(result []EcosystemResult) VulnTypeCount { for _, ecosystem := range result { for _, source := range ecosystem.Sources { if ecosystem.IsOS { - vulnCount.OS += source.PackageTypeCount.Called + vulnCount.OS += source.VulnCount.CallAnalysisCount.Called } else { - vulnCount.Project += source.PackageTypeCount.Called + vulnCount.Project += source.VulnCount.CallAnalysisCount.Called } - vulnCount.Uncalled += source.PackageTypeCount.Uncalled + vulnCount.Uncalled += source.VulnCount.CallAnalysisCount.Uncalled } } @@ -525,6 +528,19 @@ func getVulnTypeCount(result []EcosystemResult) VulnTypeCount { return vulnCount } +func getPackageTypeCount(result []EcosystemResult) CallAnalysisCount { + var packageCount CallAnalysisCount + + for _, ecosystem := range result { + for _, source := range ecosystem.Sources { + packageCount.Called += source.PackageTypeCount.Called + packageCount.Uncalled += source.PackageTypeCount.Uncalled + } + } + + return packageCount +} + // calculateCount calculates the vulnerability counts based on the provided // lists of called and uncalled vulnerabilities. func calculateCount(calledVulnList, uncalledVulnList []VulnResult) VulnCount { diff --git a/internal/output/table.go b/internal/output/table.go index 39734e960a6..4f3e4db14b5 100644 --- a/internal/output/table.go +++ b/internal/output/table.go @@ -28,11 +28,17 @@ func PrintTableResults(vulnResult *models.VulnerabilityResults, outputWriter io. text.DisableColors() } + outputResult := BuildResults(vulnResult) + // Render the vulnerabilities. - outputTable := newTable(outputWriter, terminalWidth) - outputTable = tableBuilder(outputTable, vulnResult) - if outputTable.Length() != 0 { - outputTable.Render() + if outputResult.IsContainerScanning { + printContainerScanningResult(outputResult, outputWriter, terminalWidth) + } else { + outputTable := newTable(outputWriter, terminalWidth) + outputTable = tableBuilder(outputTable, vulnResult) + if outputTable.Length() != 0 { + outputTable.Render() + } } // Render the licenses if any. @@ -84,6 +90,60 @@ func tableBuilder(outputTable table.Writer, vulnResult *models.VulnerabilityResu return outputTable } +func printContainerScanningResult(result Result, outputWriter io.Writer, terminalWidth int) { + summary := fmt.Sprintf( + "Total %[1]d packages affected by %[2]d vulnerabilities (%[3]d Critical, %[4]d High, %[5]d Medium, %[6]d Low, %[7]d Unknown) from %[8]d ecosystems.\n"+ + "%[9]d vulnerabilities have fixes available.", + result.PackageTypeCount.Called, + result.VulnTypeCount.All, + result.VulnCount.SeverityCount.Critical, + result.VulnCount.SeverityCount.High, + result.VulnCount.SeverityCount.Medium, + result.VulnCount.SeverityCount.Low, + result.VulnCount.SeverityCount.Unknown, + len(result.Ecosystems), + result.VulnCount.FixableCount.Fixed, + ) + fmt.Fprintln(outputWriter, summary) + // Add a newline + fmt.Fprintln(outputWriter) + + for _, ecosystem := range result.Ecosystems { + fmt.Fprintln(outputWriter, ecosystem.Name) + + for _, source := range ecosystem.Sources { + outputTable := newTable(outputWriter, terminalWidth) + outputTable.SetTitle("Source:" + source.Name) + outputTable.AppendHeader(table.Row{"Package", "Installed Version", "Fix available", "Vuln count"}) + for _, pkg := range source.Packages { + outputRow := table.Row{} + totalCount := pkg.VulnCount.CallAnalysisCount.Called + var fixAvailable string + if pkg.FixedVersion == UnfixedDescription { + fixAvailable = UnfixedDescription + } else { + if pkg.VulnCount.FixableCount.UnFixed > 0 { + fixAvailable = "Partial fixes Available" + } else { + fixAvailable = "Fix Available" + } + } + outputRow = append(outputRow, pkg.Name, pkg.InstalledVersion, fixAvailable, totalCount) + outputTable.AppendRow(outputRow) + } + outputTable.Render() + } + } + // Add a newline + fmt.Fprintln(outputWriter) + + const promptMessage = "For the most comprehensive scan results, we recommend using the HTML output: " + + "`osv-scanner --format html --output results.html`.\n" + + "You can also view the full vulnerability list in your terminal with: " + + "`osv-scanner --format vertical`." + fmt.Fprintln(outputWriter, promptMessage) +} + type tbInnerResponse struct { row table.Row shouldMerge bool