Display warnings even when -v is not passed and no tty is present
#2180
Comments
|
Thanks for the report! These logs are being generated in Syft, here: https://github.com/anchore/syft/blob/8095f7b8c14d2b2abf08c9516c7617c08e9fc319/internal/task/executor.go#L103 I can see how these seem noisy. I'll see if there's some better experience we can implement. |
|
Hi @metametadata! I went looking for our suggestion to add CPEs if we try to match on a CPE and non are available, and it is at grype/grype/search/criteria.go Line 31 in c87f4a0 log.Warn, and warning show up without --verbose.
In general, if a message is something a user could do to make the scan better, we try to |
|
Without I've written about it in the similar Syft issue: anchore/syft#3081 (comment). Maybe the similar issue should be added in the Grype repo? |
|
Hi @metametadata thanks for the response and for connecting this with the Syft issue! I think warnings being lost when not TTY is available is not a great experience and we should treat it as a bug. Also, thanks for mentioning it happens when Grype is invoked via a Kotlin script - this clue really helped. For investigating, I made a simple python script that wraps Grype and repros the issue: import subprocess
import sys
args = ["grype"]
args.extend(sys.argv[1:])
process = subprocess.Popen(
args,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True,
bufsize=1,
)
try:
for stdout_line in iter(process.stdout.readline, ""):
sys.stdout.write(f"out: {stdout_line}")
sys.stdout.flush()
for stderr_line in iter(process.stderr.readline, ""):
sys.stderr.write(f"err: {stderr_line}")
sys.stderr.flush()
finally:
process.stdout.close()
process.stderr.close()
process.wait()I'm guessing this is similar to the situation for Grype in your Kotlin script: stderr and stdout are captured within the parent process and printed indirectly, so grype can write bytes to either stderr or stdout, but no tty is present. Reproing the error: Grype will ❯ grype dir:.
... snip ...
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
No vulnerabilities found
❯ python pygrype.py dir:.
out: No vulnerabilities found
❯ python pygrype.py dir:. --verbose
python pygrype.py dir:. --verbose
out: No vulnerabilities found
err: [0000] INFO grype version: 0.82.0
err: [0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
err: [0000] INFO task completed elapsed=54.167µs task=environment-cataloger
... snip ...
... dozens of lines of log spam hiding the warning ...So in the second version, we can see that the warning is dropped. I can get it back with I think a reasonable requirement we should take here is: Grype (and Syft) should display I think what's happening is this:
These three statements make sense separately, but combine to make it so that I'll try to add some code links in a minute. |
|
The UI setup command is here: Line 39 in 5c2b262 I suspect the bug may be over in https://github.com/anchore/clio, which is a Terminal UI library shared by Syft and Grype. |
Agree. I then will be able to delete |
willmurphyscode
changed the title
INFO task completed elapsed=... verbose logs-v is not passed and no tty is present
v0.82.0
There are many seemingly useless logs on
--verbosewhich make the reports harder to read and can hide more important messages produced on--verbose(such as suggesting settingadd-cpes-if-none).Maybe they could be hidden behind some other CLI flag instead of
--verbose?The text was updated successfully, but these errors were encountered: