Closed s-kenji closed 2 months ago
Show severity and score from providers in addition to NVD in the summary report in GitHub Actions. The prioritize severity is the following order:
If severity is not provided by any provider, the severity and score will remain empty.
Related Issues: https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/issues/68
Logs:
time="2024-07-22 15:06:14" level=info msg="downloading and installing inspector-sbomgen version latest" file="orchestrator.py:17" time="2024-07-22 15:06:15" level=info msg="generating SBOM from artifact" file="orchestrator.py:21" INFO[0000] Amazon Inspector SBOM Generator v1.3.1 - linux arm64 - Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved INFO[0000] [/usr/local/bin/inspector-sbomgen directory --path /tmp/python-proj --outfile /tmp/sbom_9943125441.json --disable-progress-bar --timeout 600] INFO[0000] writing log file to: /Users/kensugim/.inspector-sbomgen/logs/inspector-sbomgen-log_2024-07-22_15-06-15.txt INFO[2024-07-22 15:06:15]coreV1.go:34: initializing target artifact INFO[2024-07-22 15:06:15]coreV1.go:44: executing pre-processors INFO[2024-07-22 15:06:15]directory.go:180: walking the artifact INFO[2024-07-22 15:06:15]coreV1.go:53: analyzing artifact INFO[2024-07-22 15:06:15]coreV1.go:62: executing post-processors INFO[2024-07-22 15:06:15]coreV1.go:71: encoding findings INFO[2024-07-22 15:06:15]directories.go:243: encoded 19 components INFO[2024-07-22 15:06:15]directory.go:242: cleaning up file system artifacts INFO[2024-07-22 15:06:15]cli.go:62: Elapsed time: 130ms time="2024-07-22 15:06:15" level=info msg="setting github actions output: artifact_sbom:/tmp/sbom_9943125441.json" file="orchestrator.py:233" sh: line 1: : No such file or directory time="2024-07-22 15:06:15" level=info msg="scanning SBOM contents with Amazon Inspector" file="orchestrator.py:25" time="2024-07-22 15:06:16" level=info msg="setting github actions output: inspector_scan_results:/tmp/inspector_scan_9943125441.json" file="orchestrator.py:233" sh: line 1: : No such file or directory time="2024-07-22 15:06:16" level=info msg="tallying vulnerabilities" file="orchestrator.py:30" ------------------------------------ Amazon Inspector Scan Summary: Artifact Name: /tmp/python-proj Artifact Type: repository 2024-07-22 15:06:16 ------------------------------------ Total Vulnerabilities: 19 Critical: 3 High: 10 Medium: 6 Low: 0 Other: 0 time="2024-07-22 15:06:16" level=info msg="setting github actions output: vulnerability_threshold_exceeded:0" file="orchestrator.py:233" sh: line 1: : No such file or directory time="2024-07-22 15:06:16" level=info msg="writing package vulnerability CSV report to: /tmp/inspector_scan_9943125441.csv" file="orchestrator.py:398" time="2024-07-22 15:06:16" level=info msg="setting github actions output: inspector_scan_results_csv:/tmp/inspector_scan_9943125441.csv" file="orchestrator.py:233" sh: line 1: : No such file or directory time="2024-07-22 15:06:16" level=info msg="writing package vulnerability markdown report to: /tmp/inspector_scan_9943125441.md" file="orchestrator.py:416" time="2024-07-22 15:06:16" level=info msg="posting Inspector scan findings to GitHub Actions step summary page" file="orchestrator.py:445" time="2024-07-22 15:06:16" level=error msg="[Errno 21] Is a directory: '/tmp'" file="pkg_vuln.py:432" time="2024-07-22 15:06:16" level=info msg="setting github actions output: inspector_scan_results_markdown:/tmp/inspector_scan_9943125441.md" file="orchestrator.py:233" sh: line 1: : No such file or directory time="2024-07-22 15:06:16" level=info msg="skipping dockerfile vulnerability CSV report because no vulnerabilities were detected" file="dockerfile.py:318" time="2024-07-22 15:06:16" level=info msg="setting github actions output: inspector_dockerile_scan_results_csv:/tmp/inspector_dockerfile_scan_9943125441.csv" file="orchestrator.py:233" sh: line 1: : No such file or directory time="2024-07-22 15:06:16" level=info msg="skipping dockerfile vulnerability MD report because no vulnerabilities were detected" file="dockerfile.py:332" time="2024-07-22 15:06:16" level=info msg="setting github actions output: inspector_dockerile_scan_results_markdown:/tmp/inspector_dockerfile_scan_9943125441.md" file="orchestrator.py:233" sh: line 1: : No such file or directory time="2024-07-22 15:06:16" level=info msg="posting Inspector Dockerfile scan findings to GitHub Actions step summary page" file="orchestrator.py:57"
Screenshots Before:
After:
Description
Show severity and score from providers in addition to NVD in the summary report in GitHub Actions. The prioritize severity is the following order:
If severity is not provided by any provider, the severity and score will remain empty.
Related Issues: https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/issues/68
Logs:
Screenshots Before:
After: