scan-action icon indicating copy to clipboard operation
scan-action copied to clipboard
verified publisher icon anchore

Support template format

Open acouch opened this issue 1 year ago • 4 comments

It would be helpful to support the template format. I would particularly like to be able to see the vulnerability location and CVE in the output. Locally I can achieve this with the following template:

"Package","Version Installed","Vulnerability ID","Severity","Locations"
{{- range .Matches}}
"{{.Artifact.Name}}","{{.Artifact.Version}}","{{.Vulnerability.ID}}","{{.Vulnerability.Severity}}","{{ (index .Artifact.Locations 0).RealPath }}"
{{- end}}

which, with grype -o template -t ./csv.tmpl [IMAGE NAME], I can get an output like:

"Package","Version Installed","Vulnerability ID","Severity","Locations"
"apt","2.6.1","CVE-2011-3374","Negligible","/usr/share/doc/apt/copyright"
"binutils","2.40-2","CVE-2023-1972","Negligible","/usr/share/doc/binutils/copyright"

I'd be willing to create a PR if you are interested.

acouch avatar Oct 25 '24 17:10 acouch

Hi @acouch, I'm curious what would be most convenient for you: maintaining a separate template file in repo or adding the template contents directly to the scan-action configuration in the workflow? Also, how are you consuming the output: reading a file manually or feeding it in to another script for more processing? And... would it be useful to get multiple formats -- for example: as SARIF to a file and the aforementioned template output to a separate file?

kzantow avatar Oct 29 '24 02:10 kzantow

Hi @acouch, I'm curious what would be most convenient for you: maintaining a separate template file in repo

I would likely create a templates folder in our ./github folder and store the template there.

Also, how are you consuming the output: reading a file manually or feeding it in to another script for more processing?

This would be for reading the vulnerability in Github Actions. So maybe would update the template to use | instead of commas. This is just the most convenient way for us to see both the CVE, package, and location of the vulnerability.

And... would it be useful to get multiple formats -- for example: as SARIF to a file and the aforementioned template output to a separate file?

I don't believe so for our use case. We just want to visually see what the vulnerability is so we can make the correct updates.

Thanks.

acouch avatar Oct 29 '24 14:10 acouch

I've been trying to consolidate a few different asks related to specifying tool output in our actions.... I think this change would be isolated enough to just:

  • add the template output format
  • add a template property that allowed either a template directly specified (maybe just check for {{ or similar) or a filename

.. is that more-or-less what you were thinking?

kzantow avatar Oct 31 '24 20:10 kzantow

Yep! Just to be clear supporting the template format and being able to link to a file is what we would like to do, being able to do the second item would be nice as well. Thanks.

acouch avatar Oct 31 '24 20:10 acouch