Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support template format #397

Open
acouch opened this issue Oct 25, 2024 · 4 comments
Open

Support template format #397

acouch opened this issue Oct 25, 2024 · 4 comments
Labels
good first issue Good for newcomers

Comments

@acouch
Copy link

acouch commented Oct 25, 2024

It would be helpful to support the template format. I would particularly like to be able to see the vulnerability location and CVE in the output. Locally I can achieve this with the following template:

"Package","Version Installed","Vulnerability ID","Severity","Locations"
{{- range .Matches}}
"{{.Artifact.Name}}","{{.Artifact.Version}}","{{.Vulnerability.ID}}","{{.Vulnerability.Severity}}","{{ (index .Artifact.Locations 0).RealPath }}"
{{- end}}

which, with grype -o template -t ./csv.tmpl [IMAGE NAME], I can get an output like:

"Package","Version Installed","Vulnerability ID","Severity","Locations"
"apt","2.6.1","CVE-2011-3374","Negligible","/usr/share/doc/apt/copyright"
"binutils","2.40-2","CVE-2023-1972","Negligible","/usr/share/doc/binutils/copyright"

I'd be willing to create a PR if you are interested.

@kzantow
Copy link
Contributor

kzantow commented Oct 29, 2024

Hi @acouch, I'm curious what would be most convenient for you: maintaining a separate template file in repo or adding the template contents directly to the scan-action configuration in the workflow? Also, how are you consuming the output: reading a file manually or feeding it in to another script for more processing? And... would it be useful to get multiple formats -- for example: as SARIF to a file and the aforementioned template output to a separate file?

@acouch
Copy link
Author

acouch commented Oct 29, 2024

Hi @acouch, I'm curious what would be most convenient for you: maintaining a separate template file in repo

I would likely create a templates folder in our ./github folder and store the template there.

Also, how are you consuming the output: reading a file manually or feeding it in to another script for more processing?

This would be for reading the vulnerability in Github Actions. So maybe would update the template to use | instead of commas. This is just the most convenient way for us to see both the CVE, package, and location of the vulnerability.

And... would it be useful to get multiple formats -- for example: as SARIF to a file and the aforementioned template output to a separate file?

I don't believe so for our use case. We just want to visually see what the vulnerability is so we can make the correct updates.

Thanks.

@kzantow
Copy link
Contributor

kzantow commented Oct 31, 2024

I've been trying to consolidate a few different asks related to specifying tool output in our actions.... I think this change would be isolated enough to just:

  • add the template output format
  • add a template property that allowed either a template directly specified (maybe just check for {{ or similar) or a filename

.. is that more-or-less what you were thinking?

@acouch
Copy link
Author

acouch commented Oct 31, 2024

Yep! Just to be clear supporting the template format and being able to link to a file is what we would like to do, being able to do the second item would be nice as well. Thanks.

@kzantow kzantow moved this to Ready in OSS Dec 23, 2024
@kzantow kzantow added the good first issue Good for newcomers label Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers
Projects
Status: Ready
Development

No branches or pull requests

2 participants