osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard
verified publisher icon google

Enabling the JSON report should not disable the CLI report

Open vdespa opened this issue 3 years ago • 5 comments

Currently, if you wish to generate the JSON report, the CLI report will be disabled, and there is no way to re-enable it without disabling the JSON report.

The CLI report can be useful for debugging any issues with the JSON report not being properly ingested by the CI/CD server.

It would be great to have the possibility to specify which report you wish to have enabled.

vdespa avatar Jan 08 '23 12:01 vdespa

This is actually (incorrectly) documented at the README section "Output formats".

The currently released tool only supports --json, it would not be an issue if the actual --format json would be implemented which redirects the CLI report to stderr.

Sebazzz avatar Feb 03 '23 09:02 Sebazzz

@G-Rath @another-rex fyi

oliverchang avatar Feb 03 '23 13:02 oliverchang

I see four possible ways to handle this:

  1. As @Sebazzz suggests, we make the new currently-unreleased --format option do this by default
    • I don't think this is a good idea because the idea is that we'll have multiple formats but you won't be able to choose any (since you've already passed --format json), and this adds content to stderr which can't easily be filter - this is important for automated tools like what we've got at Ackama, who would be ingesting the json and that output stderr if there's an error)
  2. We take a slice for --format, i.e. osv-scanner --format json --format table
    • means you wouldn't be able to "remove" formats, which I personally think is useful for automatic tools (i.e. knowing you can stick --format json on the end of an arbitrary command to ensure the format will be json regardless of whats in a config etc)
  3. We take a CSV for --format i.e. osv-scanner --format 'json,table'
    • allows you do to "osv-scanner #{user_args} --format json to force the output, from a tooling POV
  4. We undeprecate --json , and have it trigger this behaviour i.e. osv-detector --json --format table
    • this could be nicer because I think we only expect people to want JSON and one cli report format i.e. we don't expect `osv-detector --format 'json,table,text'
    • I also don't think other data formats will be added, except mayyybbbe XML? because JSON is pretty well supported by most languages these days from what I understand

My preference is for either 3 or 4.

G-Rath avatar Feb 03 '23 17:02 G-Rath

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions[bot] avatar Jul 25 '24 18:07 github-actions[bot]