search

anchore / anchore-cli

Simple command-line client to the Anchore Engine service
Apache License 2.0
114 stars 55 forks source link

Add package type in the vulnerability listing output as well as feed source for the match #43

Closed zhill closed 4 years ago

zhill commented 4 years ago

In the output of anchore-cli image vuln <img> all a column should indicate the package type, package location, and match feed source (nvd, centos:8, debian:8 etc) so that it is more clear exactly what is being matched and packages of different types with the same name can be distinguished as not duplicates.

alfredodeza commented 4 years ago

We should consider rethinking the output formatting at some point (or perhaps right now). Because adding more columns in an already wide output is going to worsen readability. At 80 columns is not possible to make sense, the terminal width has to be at least 195 columns wide to read the metadata.

On very rich/large informational output from CLI tools it is somewhat common to use a nested format (similar to how formatted JSON looks) with column names as keys. So instead of this sample output:

$ anchore-cli --u admin --p foobar image vuln docker.io/library/centos:centos7 os
Vulnerability ID        Package                                Severity        Fix                     CVE Refs                             Vulnerability URL
RHSA-2019:4190          nss-3.44.0-4.el7                       High            0:3.44.0-7.el7_7        CVE-2019-11729,CVE-2019-11745        https://access.redhat.com/errata/RHSA-2019:4190
RHSA-2019:4190          nss-softokn-3.44.0-5.el7               High            0:3.44.0-8.el7_7        CVE-2019-11729,CVE-2019-11745        https://access.redhat.com/errata/RHSA-2019:4190

It would look like this:

$ anchore-cli --u admin --p foobar image vuln docker.io/library/centos:centos7 os

Vulnerability ID: RHSA-2019:4190
  Package: nss-3.44.0-4.el7
  Severity: High
  Fix: 0:3.44.0-7.el7_7        
  CVE Refs:
    - CVE-2019-11729
    - CVE-2019-11745
  Vulnerability URL: https://access.redhat.com/errata/RHSA-2019:4190

Vulnerability ID: RHSA-2019:4190          
  Package: nss-softokn-3.44.0-5.el7               
  Severity: High
  Fix: 0:3.44.0-8.el7_7        
  CVE Refs:
    - CVE-2019-11729
    - CVE-2019-11745        
  Vulnerability URL: https://access.redhat.com/errata/RHSA-2019:4190

Going further, we could even set the title and sort the output by whatever the administrator needs. For example by package could be:

$ anchore-cli --u admin --p foobar image vuln --sort-by=Package docker.io/library/centos:centos7 os

Package: nss-3.44.0-4.el7
  Vulnerability ID: RHSA-2019:4190
  Severity: High
  Fix: 0:3.44.0-7.el7_7        
  CVE Refs:
    - CVE-2019-11729
    - CVE-2019-11745
  Vulnerability URL: https://access.redhat.com/errata/RHSA-2019:4190

Package: nss-softokn-3.44.0-5.el7               
  Vulnerability ID: RHSA-2019:4190          
  Severity: High
  Fix: 0:3.44.0-8.el7_7        
  CVE Refs:
    - CVE-2019-11729
    - CVE-2019-11745        
  Vulnerability URL: https://access.redhat.com/errata/RHSA-2019:4190
alfredodeza commented 4 years ago

Adding three columns (Type, Feed Source, and Package Path) does not fit in my large monitor with the terminal maximized at 272 columns :( :( :(

The padding bleeds over the next line creating new lines. At 280 (!) the output fits, but I doubt we think this is readable? (I anticipate we will want to add more columns later too):

Screen Shot 2020-01-29 at 2 46 14 PM