Include file location of each vulnerability

[freedom-isnotanarchy]

What would you like to be added:
The name of the file that grype ingested, is stored in a variable JSON location. See output from grype -o json

Why is this needed:
The grype CLI takes 1 and only file argument ...

accepts at most 1 arg(s), received 2

Comparing the data model output for SAMPLE.docker.save and SAMPLE.war , shows different places:

"##_w1" : "grype -o json SAMPLE.war",
"##_w2" : "-o template -t f.tmpl ",
"##_w3" : "{{.Source.Type}} --> {{.Source.Target}}" ,
"source": {
    "type": "file",
    "target": "SAMPLE.war" <---
},

as contrasted with this location ...

"##_d1" : "grype -o json SAMPLE.docker.save",
"##_d2" : "-o template -t f.tmpl",
"##_d3" : "{{.Source.Type}} --> {{.Source.Target.UserInput}}",
"source": {
    "type": "image",
    "target": {
        "userInput": "SAMPLE.docker.save",  <---
        "imageID": "sha256:0c7f",
        "manifestDigest": "sha256:47d",
        "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
        "tags": [
            "cowboyz/solar-sun:v0.5.0"
        ],
        "imageSize": 3361,
        "layers": [
            {  "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
                "digest": "sha256:8843",
                "size": 1169
            },
            {  "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
                "digest": "sha256:8815",
                "size": 0
            },
            {  "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
                "digest": "sha256:f2d60",
                "size": 3069
            }
        ],
        "manifest": "eyJX0=",
        "config": "eyJhcmdfX0=",
        "repoDigests": []
    }
}

Additional context:
(1) It would be helpful to be able to use a constant location, in the golang template file. Perhaps something like this:
"{{.Source.FileGivenToGrype}}"
(2) In lieu of (1) above ... can we include the Sprig OS template ?
That way, Environment variables can be passed down by some wrapper shell script, and rendered upon execution of grype.
Maybe like this (I'm not sure what syntax will actually work):

"{{ import "os" }}"
"{{ os.Getenv("FILE_GIVEN_TO_GRYPE")    }}"
"{{ os.LookupEnv("FILE_GIVEN_TO_GRYPE") }}"

"{{ print .FILE_GIVEN_TO_GRYPE }}"
"{{ print %FILE_GIVEN_TO_GRYPE%  }}"
"{{ print $FILE_GIVEN_TO_GRYPE }}"

//SPRIG: https://masterminds.github.io/sprig/os.html
import ( "os" )   // function "import" not defined
{{ env      "FILE_GIVEN_TO_GRYPE" }}  // function "env" not defined
{{ expandenv "The file passed to Grype is named $FILE_GIVEN_TO_GRYPE" }} //  function "expandenv" not defined

[freedom-isnotanarchy]

Use Case: Helping a user of Grype, needing to scan N files, and compare the results in a holistic fashion.
What would help: Allow/Assist, in some way to print out the Name of the File being scanned, in templet-ed output
Example: The leftmost field, the Primary Key, is the file being scanned ...

| File                 | Package               | Severity   | Is Fixed  | Vulnerability       | Version                 | Version Fixed        | Package URL                                                     | 
| -------------------- | --------------------- | ---------- | --------- | ------------------- | ----------------------- | -------------------- | --------------------------------------------------------------- | 
| app10.war            | log4j                 | High       | not-fixed | GHSA-fp5r-v3w9-4333 | '1.2.16                 | []                   | pkg:maven/log4j/[email protected]                                    | 
| app6.war             | hibernate-validator   | High       | fixed     | GHSA-xxgp-pcfc-3vgc | '5.2.2.Final            | [5.2.5]              | pkg:maven/org.hibernate/[email protected]         | 
| controller-l3.docker | curl                  | Medium     | fixed     | CVE-2021-22876      | '7.47.0-1ubuntu2.12     | [7.47.0-1ubuntu2.19] | pkg:deb/ubuntu/[email protected]?arch=amd64               | 
| customer-portal.ear  | jackson-databind      | Critical   | fixed     | GHSA-4gq5-ch57-c2mg | '2.5.0                  | [2.7.9.5]            | pkg:maven/com.fasterxml.jackson.core/[email protected]     | 
| dmz-env.docker       | openssl               | Negligible | not-fixed | CVE-2021-3601       | '1.0.2g-1ubuntu4.14     | []                   | pkg:deb/ubuntu/[email protected]?arch=amd64            | 
| docker_quarkus.image | libpython3.5          | Medium     | not-fixed | CVE-2021-4189       | '3.5.2-2ubuntu0~16.04.5 | []                   | pkg:deb/ubuntu/[email protected]~16.04.5?arch=amd64   | 
| norcal.docker        | log4j                 | Critical   | not-fixed | GHSA-2qrg-x229-3v8q | '1.2.16                 | []                   | pkg:maven/log4j/[email protected]                                    | 
| proof-concept.war    | geronimo-jta_1.1_spec | High       | unknown   | CVE-2011-5034       | '1.1.1                  | []                   | pkg:maven/org.apache.geronimo.specs/[email protected] | 
| qa_image.docker      | libsystemd0           | High       | fixed     | CVE-2018-16864      | '229-4ubuntu21.4        | [229-4ubuntu21.15]   | pkg:deb/ubuntu/[email protected]?arch=amd64           | 

[spiffcs]

@freedom-isnotanarchy is this still an issue or an architecture concern you want to bring up? I think we need a bit more clarity on Location and what you mean by consistent location. From the example you provide it looks like they are all relative file paths to the command execution. Could you clarify a bit more? Thanks again!

Edit: Re-read the comment and I understand now that the source path in the data model is different here:
.Source.Target vs .Source.Target.UserInput

We definitely agree that the target should probably be upgraded to always be an object.

[spiffcs]

Note: possible solution here is to parse the command line positional args and include them in the config object so that we have a consistent location that the template can refer to for these names/args.

[kzantow]

Re-reading this, I believe the ask is to include a view that has the location included for each vulnerability. For example, if I scan /var and /var/bash is vulnerable, I should see /var/bash associated with the vulnerabilities it surfaced in the Grype report.

This has been requested multiple times over the years, and we should probably implement a flag or other option specifically for including the file where vulnerabilities were found.

There is an existing PR, which has a directly related change that may be coerced into a solution: #1275

[wagoodman]

One point that came up on a community call would be to have a pivot table concept as an output. So if you wanted to orient the table by CVE, or vuln ID, or location, or package name, you could. The ergonomics on this on the CLI/config have not really been thought through though, but for a rough example:

syft myimage:latest -o 'table[by-location]'

(I'm not a fan of this example but gets the point across)