Add table option for output-format vulnerabilities in console (anchore#135)

ken-chou-glia · web-flow · commit d5aa5b6cb941 · 2022-09-19T11:43:12.000-04:00
diff --git a/README.md b/README.md
@@ -125,9 +125,9 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou
 | `sbom`              | The SBOM to scan                                                                                                                                                                                                                                                 | N/A           |
 | `registry-username` | The registry username to use when authenticating to an external registry                                                                                                                                                                                         |               |
 | `registry-password` | The registry password to use when authenticating to an external registry                                                                                                                                                                                         |               |
-| `fail-build`        | Fail the build if a vulnerability is found with a higher severity. That severity defaults to `"medium"` and can be set with `severity-cutoff`.                                                                                                                   | `true`        |
-| `output-format`     | Set the output parameter after successful action execution. Valid choices are "json" and "sarif"                                                                                                                                                                 | `sarif`       |
-| `severity-cutoff`   | Optionally specify the minimum vulnerability severity to trigger a failure. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium". | `"medium"`    |
+| `fail-build`        | Fail the build if a vulnerability is found with a higher severity. That severity defaults to `medium` and can be set with `severity-cutoff`.                                                                                                                     | `true`        |
+| `output-format`     | Set the output parameter after successful action execution. Valid choices are `json`, `sarif`, and `table`, where `table` output will print to the console instead of generating a file.                                                                         | `sarif`       |
+| `severity-cutoff`   | Optionally specify the minimum vulnerability severity to trigger a failure. Valid choices are "negligible", "low", "medium", "high" and "critical". Any vulnerability with a severity less than this value will lead to a "warning" result. Default is "medium". | `medium`      |
 
 ### Action Outputs
 
diff --git a/action.yml b/action.yml
@@ -18,7 +18,7 @@ inputs:
     required: false
     default: "true"
   output-format:
-    description: 'Set the output parameter after successful action execution. Valid choices are "json" and "sarif".'
+    description: 'Set the output parameter after successful action execution. Valid choices are "json", "sarif", and "table".'
     required: false
     default: "sarif"
   severity-cutoff:
diff --git a/dist/index.js b/dist/index.js
@@ -139,7 +139,7 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
   }
 
   const SEVERITY_LIST = ["negligible", "low", "medium", "high", "critical"];
-  const FORMAT_LIST = ["sarif", "json"];
+  const FORMAT_LIST = ["sarif", "json", "table"];
   let cmdArgs = [];
 
   if (core.isDebug()) {
@@ -227,34 +227,39 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
     core.debug(cmdOutput);
   }
 
-  if (outputFormat === "sarif") {
-    const SARIF_FILE = "./results.sarif";
-    fs.writeFileSync(SARIF_FILE, cmdOutput);
-    out.sarif = SARIF_FILE;
-  } else {
-    const REPORT_FILE = "./results.json";
-    fs.writeFileSync(REPORT_FILE, cmdOutput);
-    out.report = REPORT_FILE;
-  }
-
-  if (failBuild === true && exitCode > 0) {
-    core.setFailed(
-      `Failed minimum severity level. Found vulnerabilities with level ${severityCutoff} or higher`
-    );
+  switch (outputFormat) {
+    case "sarif": {
+      const SARIF_FILE = "./results.sarif";
+      fs.writeFileSync(SARIF_FILE, cmdOutput);
+      out.sarif = SARIF_FILE;
+      break;
+    }
+    case "json": {
+      const REPORT_FILE = "./results.json";
+      fs.writeFileSync(REPORT_FILE, cmdOutput);
+      out.report = REPORT_FILE;
+      break;
+    }
+    default: // e.g. table
+      core.info(cmdOutput);
   }
 
   // If there is a non-zero exit status code there are a couple of potential reporting paths
-  if (failBuild === false && exitCode > 0) {
-    // There was a non-zero exit status but it wasn't because of failing severity, this must be
-    // a grype problem
+  if (exitCode > 0) {
     if (!severityCutoff) {
+      // There was a non-zero exit status but it wasn't because of failing severity, this must be
+      // a grype problem
       core.warning("grype had a non-zero exit status when running");
+    } else if (failBuild === true) {
+      core.setFailed(
+        `Failed minimum severity level. Found vulnerabilities with level '${severityCutoff}' or higher`
+      );
     } else {
       // There is a non-zero exit status code with severity cut off, although there is still a chance this is grype
       // that is broken, it will most probably be a failed severity. Using warning here will make it bubble up in the
       // Actions UI
       core.warning(
-        `Failed minimum severity level. Found vulnerabilities with level ${severityCutoff} or higher`
+        `Failed minimum severity level. Found vulnerabilities with level '${severityCutoff}' or higher`
       );
     }
   }
diff --git a/index.js b/index.js
@@ -124,7 +124,7 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
   }
 
   const SEVERITY_LIST = ["negligible", "low", "medium", "high", "critical"];
-  const FORMAT_LIST = ["sarif", "json"];
+  const FORMAT_LIST = ["sarif", "json", "table"];
   let cmdArgs = [];
 
   if (core.isDebug()) {
@@ -212,34 +212,39 @@ async function runScan({ source, failBuild, severityCutoff, outputFormat }) {
     core.debug(cmdOutput);
   }
 
-  if (outputFormat === "sarif") {
-    const SARIF_FILE = "./results.sarif";
-    fs.writeFileSync(SARIF_FILE, cmdOutput);
-    out.sarif = SARIF_FILE;
-  } else {
-    const REPORT_FILE = "./results.json";
-    fs.writeFileSync(REPORT_FILE, cmdOutput);
-    out.report = REPORT_FILE;
-  }
-
-  if (failBuild === true && exitCode > 0) {
-    core.setFailed(
-      `Failed minimum severity level. Found vulnerabilities with level ${severityCutoff} or higher`
-    );
+  switch (outputFormat) {
+    case "sarif": {
+      const SARIF_FILE = "./results.sarif";
+      fs.writeFileSync(SARIF_FILE, cmdOutput);
+      out.sarif = SARIF_FILE;
+      break;
+    }
+    case "json": {
+      const REPORT_FILE = "./results.json";
+      fs.writeFileSync(REPORT_FILE, cmdOutput);
+      out.report = REPORT_FILE;
+      break;
+    }
+    default: // e.g. table
+      core.info(cmdOutput);
   }
 
   // If there is a non-zero exit status code there are a couple of potential reporting paths
-  if (failBuild === false && exitCode > 0) {
-    // There was a non-zero exit status but it wasn't because of failing severity, this must be
-    // a grype problem
+  if (exitCode > 0) {
     if (!severityCutoff) {
+      // There was a non-zero exit status but it wasn't because of failing severity, this must be
+      // a grype problem
       core.warning("grype had a non-zero exit status when running");
+    } else if (failBuild === true) {
+      core.setFailed(
+        `Failed minimum severity level. Found vulnerabilities with level '${severityCutoff}' or higher`
+      );
     } else {
       // There is a non-zero exit status code with severity cut off, although there is still a chance this is grype
       // that is broken, it will most probably be a failed severity. Using warning here will make it bubble up in the
       // Actions UI
       core.warning(
-        `Failed minimum severity level. Found vulnerabilities with level ${severityCutoff} or higher`
+        `Failed minimum severity level. Found vulnerabilities with level '${severityCutoff}' or higher`
       );
     }
   }
diff --git a/tests/action_args.test.js b/tests/action_args.test.js
@@ -73,4 +73,47 @@ describe("Github action args", () => {
     spyInput.mockRestore();
     spyOutput.mockRestore();
   });
+
+  it("runs with table output", async () => {
+    const inputs = {
+      image: "localhost:5000/match-coverage/debian:latest",
+      "fail-build": "true",
+      "output-format": "table",
+      "severity-cutoff": "medium",
+    };
+    const spyInput = jest.spyOn(core, "getInput").mockImplementation((name) => {
+      try {
+        return inputs[name];
+      } finally {
+        inputs[name] = true;
+      }
+    });
+
+    const outputs = {};
+    const spyOutput = jest
+      .spyOn(core, "setOutput")
+      .mockImplementation((name, value) => {
+        outputs[name] = value;
+      });
+
+    let stdout = "";
+    const spyStdout = jest.spyOn(core, "info").mockImplementation((value) => {
+      stdout += value;
+    });
+
+    await run();
+
+    Object.keys(inputs).map((name) => {
+      expect(inputs[name]).toBe(true);
+    });
+
+    expect(stdout).toContain("VULNERABILITY");
+
+    expect(outputs["sarif"]).toBeFalsy();
+    expect(outputs["json"]).toBeFalsy();
+
+    spyInput.mockRestore();
+    spyOutput.mockRestore();
+    spyStdout.mockRestore();
+  });
 });
