feat: include file location in table output (#1199)

Signed-off-by: James Neate <[email protected]>
anchore · May 28, 2023 · 558a210 · 558a210
1 parent 77eb4bb
commit 558a210
Show file tree

Hide file tree

Showing 14 changed files with 462 additions and 41 deletions.
diff --git a/grype/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxPresenterDir.golden b/grype/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxPresenterDir.golden
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:f701dea7-2715-48eb-8d63-878377007e65",
+  "serialNumber": "urn:uuid:716ad06c-2cad-4ffd-a507-08862a89959a",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-05-04T09:41:30-04:00",
+    "timestamp": "2023-05-06T03:07:35+01:00",
     "tools": [
       {
         "vendor": "anchore",
@@ -48,11 +48,28 @@
           "value": "/foo/bar/somefile-2.txt"
         }
       ]
+    },
+    {
+      "bom-ref": "a8d804be757ae96",
+      "type": "library",
+      "name": "package-3",
+      "version": "3.3.3",
+      "cpe": "cpe:2.3:a:anchore:engine:3.3.3:*:*:python:*:*:*:*",
+      "properties": [
+        {
+          "name": "syft:package:type",
+          "value": "npm"
+        },
+        {
+          "name": "syft:location:0:path",
+          "value": "/foo/bar/somefile-3.txt"
+        }
+      ]
     }
   ],
   "vulnerabilities": [
     {
-      "bom-ref": "urn:uuid:befb74e5-738d-4b2c-adf2-03d276553bca",
+      "bom-ref": "urn:uuid:61854d6b-1741-4369-b975-b2cad5f9115a",
       "id": "CVE-1999-0001",
       "source": {},
       "references": [
@@ -78,7 +95,7 @@
       ]
     },
     {
-      "bom-ref": "urn:uuid:9cf43de2-c92a-4f29-add6-29bdd71a0285",
+      "bom-ref": "urn:uuid:0289344e-4b40-4418-b399-9a709d13819f",
       "id": "CVE-1999-0002",
       "source": {},
       "references": [
@@ -102,6 +119,32 @@
           "ref": "b4013a965511376c"
         }
       ]
+    },
+    {
+      "bom-ref": "urn:uuid:31c2575e-43eb-43e6-bcfa-fc70c36b61e6",
+      "id": "CVE-1999-0003",
+      "source": {},
+      "references": [
+        {
+          "id": "CVE-1999-0003",
+          "source": {}
+        }
+      ],
+      "ratings": [
+        {
+          "score": 1,
+          "severity": "high",
+          "method": "CVSSv3",
+          "vector": "vector"
+        }
+      ],
+      "description": "1999-03 description",
+      "advisories": [],
+      "affects": [
+        {
+          "ref": "f45d1ab14d63730d"
+        }
+      ]
     }
   ]
 }
diff --git a/grype/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxPresenterImage.golden b/grype/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxPresenterImage.golden
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:102e3928-5e9e-4352-bdfe-b9eb64b837f8",
+  "serialNumber": "urn:uuid:17d74ef5-13ca-4c95-a8da-cb30698d2098",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-05-04T09:41:30-04:00",
+    "timestamp": "2023-05-06T03:07:35+01:00",
     "tools": [
       {
         "vendor": "anchore",
@@ -48,11 +48,28 @@
           "value": "/foo/bar/somefile-2.txt"
         }
       ]
+    },
+    {
+      "bom-ref": "a8d804be757ae96",
+      "type": "library",
+      "name": "package-3",
+      "version": "3.3.3",
+      "cpe": "cpe:2.3:a:anchore:engine:3.3.3:*:*:python:*:*:*:*",
+      "properties": [
+        {
+          "name": "syft:package:type",
+          "value": "npm"
+        },
+        {
+          "name": "syft:location:0:path",
+          "value": "/foo/bar/somefile-3.txt"
+        }
+      ]
     }
   ],
   "vulnerabilities": [
     {
-      "bom-ref": "urn:uuid:e082487a-f943-4d4a-8f7c-020d4b0838c4",
+      "bom-ref": "urn:uuid:04040d97-022e-4ffa-bb3d-225a22641a46",
       "id": "CVE-1999-0001",
       "source": {},
       "references": [
@@ -78,7 +95,7 @@
       ]
     },
     {
-      "bom-ref": "urn:uuid:3d8b0870-5c57-4063-b30d-56102dd49ec1",
+      "bom-ref": "urn:uuid:778faaaf-dfca-4cb6-adc1-4da361a2f95d",
       "id": "CVE-1999-0002",
       "source": {},
       "references": [
@@ -102,6 +119,32 @@
           "ref": "b4013a965511376c"
         }
       ]
+    },
+    {
+      "bom-ref": "urn:uuid:fa1f0294-6d50-4f81-96ff-9d172332a31a",
+      "id": "CVE-1999-0003",
+      "source": {},
+      "references": [
+        {
+          "id": "CVE-1999-0003",
+          "source": {}
+        }
+      ],
+      "ratings": [
+        {
+          "score": 1,
+          "severity": "high",
+          "method": "CVSSv3",
+          "vector": "vector"
+        }
+      ],
+      "description": "1999-03 description",
+      "advisories": [],
+      "affects": [
+        {
+          "ref": "f45d1ab14d63730d"
+        }
+      ]
     }
   ]
 }
diff --git a/grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden b/grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden
@@ -132,6 +132,69 @@
     "purl": "",
     "upstreams": []
    }
+  },
+  {
+   "vulnerability": {
+    "id": "CVE-1999-0003",
+    "dataSource": "",
+    "severity": "High",
+    "urls": [],
+    "description": "1999-03 description",
+    "cvss": [
+     {
+      "version": "3.0",
+      "vector": "vector",
+      "metrics": {
+       "baseScore": 1,
+       "exploitabilityScore": 2,
+       "impactScore": 3
+      },
+      "vendorMetadata": {
+       "BaseSeverity": "Low",
+       "Status": "verified"
+      }
+     }
+    ],
+    "fix": {
+     "versions": [],
+     "state": ""
+    },
+    "advisories": []
+   },
+   "relatedVulnerabilities": [],
+   "matchDetails": [
+    {
+     "type": "exact-indirect-match",
+     "matcher": "javascript-matcher",
+     "searchedBy": {
+      "cpe": "somecpe"
+     },
+     "found": {
+      "constraint": "somecpe"
+     }
+    }
+   ],
+   "artifact": {
+    "id": "f45d1ab14d63730d",
+    "name": "package-3",
+    "version": "3.3.3",
+    "type": "npm",
+    "locations": [
+     {
+      "path": "/foo/bar/somefile-3.txt"
+     }
+    ],
+    "language": "",
+    "licenses": [
+     "MIT",
+     "Apache-2.0"
+    ],
+    "cpes": [
+     "cpe:2.3:a:anchore:engine:3.3.3:*:*:python:*:*:*:*"
+    ],
+    "purl": "",
+    "upstreams": []
+   }
   }
  ],
  "source": {

diff --git a/grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden b/grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden
@@ -132,6 +132,69 @@
     "purl": "",
     "upstreams": []
    }
+  },
+  {
+   "vulnerability": {
+    "id": "CVE-1999-0003",
+    "dataSource": "",
+    "severity": "High",
+    "urls": [],
+    "description": "1999-03 description",
+    "cvss": [
+     {
+      "version": "3.0",
+      "vector": "vector",
+      "metrics": {
+       "baseScore": 1,
+       "exploitabilityScore": 2,
+       "impactScore": 3
+      },
+      "vendorMetadata": {
+       "BaseSeverity": "Low",
+       "Status": "verified"
+      }
+     }
+    ],
+    "fix": {
+     "versions": [],
+     "state": ""
+    },
+    "advisories": []
+   },
+   "relatedVulnerabilities": [],
+   "matchDetails": [
+    {
+     "type": "exact-indirect-match",
+     "matcher": "javascript-matcher",
+     "searchedBy": {
+      "cpe": "somecpe"
+     },
+     "found": {
+      "constraint": "somecpe"
+     }
+    }
+   ],
+   "artifact": {
+    "id": "f45d1ab14d63730d",
+    "name": "package-3",
+    "version": "3.3.3",
+    "type": "npm",
+    "locations": [
+     {
+      "path": "/foo/bar/somefile-3.txt"
+     }
+    ],
+    "language": "",
+    "licenses": [
+     "MIT",
+     "Apache-2.0"
+    ],
+    "cpes": [
+     "cpe:2.3:a:anchore:engine:3.3.3:*:*:python:*:*:*:*"
+    ],
+    "purl": "",
+    "upstreams": []
+   }
   }
  ],
  "source": {

diff --git a/grype/presenter/models/document_test.go b/grype/presenter/models/document_test.go
@@ -30,14 +30,21 @@ func TestPackagesAreSorted(t *testing.T) {
 		Type:    syftPkg.DebPkg,
 	}
 
+	var pkg3 = pkg.Package{
+		ID:      "package-3-id",
+		Name:    "package-3",
+		Version: "3.3.3",
+		Type:    syftPkg.NpmPkg,
+	}
+
 	var match1 = match.Match{
 		Vulnerability: vulnerability.Vulnerability{
 			ID: "CVE-1999-0003",
 		},
-		Package: pkg1,
+		Package: pkg3,
 		Details: match.Details{
 			{
-				Type: match.ExactDirectMatch,
+				Type: match.ExactIndirectMatch,
 			},
 		},
 	}
@@ -46,7 +53,7 @@ func TestPackagesAreSorted(t *testing.T) {
 		Vulnerability: vulnerability.Vulnerability{
 			ID: "CVE-1999-0002",
 		},
-		Package: pkg1,
+		Package: pkg2,
 		Details: match.Details{
 			{
 				Type: match.ExactIndirectMatch,
@@ -69,7 +76,7 @@ func TestPackagesAreSorted(t *testing.T) {
 	matches := match.NewMatches()
 	matches.Add(match1, match2, match3)
 
-	packages := []pkg.Package{pkg1, pkg2}
+	packages := []pkg.Package{pkg1, pkg2, pkg3}
 
 	ctx := pkg.Context{
 		Source: &syftSource.Metadata{

diff --git a/grype/presenter/models/metadata_mock.go b/grype/presenter/models/metadata_mock.go
@@ -55,9 +55,24 @@ func NewMetadataMock() *MetadataMock {
 				},
 			},
 			"CVE-1999-0003": {
-				"source-1": {
+				"source-3": {
 					Description: "1999-03 description",
 					Severity:    "High",
+					Cvss: []vulnerability.Cvss{
+						{
+							Metrics: vulnerability.NewCvssMetrics(
+								1,
+								2,
+								3,
+							),
+							Vector:  "vector",
+							Version: "3.0",
+							VendorMetadata: MockVendorMetadata{
+								BaseSeverity: "Low",
+								Status:       "verified",
+							},
+						},
+					},
 				},
 			},
 		},