Open lread opened 3 months ago
I've slept on this one a bit, and feel it is quite close to being just another report --output
type.
It is pretty and all, but do we really need it?
I think I'll wait to see if there more interest than just from me!
Since we have stdout
and stdout-simple
, perhaps this should be stdout-detailed
or stdout-full
or something?
Or maybe stdout-pretty
?
Since my brain first considered this a general summary, I might need to rethink this as a proper report.
Maybe allowing for multiple reports to spit out would make sense?
-o stdout-simple stdout-pretty
:o [stdout-simple stdout-pretty]
I don't have a strong opinion on this, but it feels more like "expanded summary information" than an actual "report" -- see my comment on #98 -- so I'm somewhat inclined to make this an opt-in --show-summary
option.
Broken out from #87.
Currently
There is no quick-to-digest summary of vulnerable dependencies. I think an at-a-glance summary is very helpful. Maybe you do too?
What do others do?
I looked at nvd-clojure and trivy for inspiration.
nvd-clojure uses colors to convey severity:
trivy uses colors (but does not wholly rely on them), and summary counts
Maybe we can mix ideas from the two to effectively.
Mockups
I've included the final 2-line summary from #87 to show how the summary table and the final summary work together.
Scanning clj-watson itself
We'll fix these up, but for now they are useful for my mockup!:
Scanning vulnerable-deps.edn
Clj-watson includes and handy sample dep with lots of vulnerabilities:
Scanning when no vulnerabilities
Here's me scanning cljdoc, no summary table is emitted, only the final summary (see #87).
When should we show this summary?
Options:
--output summary
? But maybe you want the summary and the verbose stdout report. So maybe allow for multiple reports to be spit out?--show-summary
--no-show-summary
Do Colors work in all terminals?
No, but we also lightly use colors elsewhere. I'd like to deal with the enabling/disabling of colors in a separate issue.
Would it be a good idea to use hyperlinks for CVEs?
Good question. I've seen terminal hyperlinks used to great effect in GraalVM native-image output. It would be pretty cool to click on a CVE to have it open the nvd.nist.gov page in your browser with all of its details.
But they are not supported across all terminals, so if we want to support these I'd open a separate issue. And we'd likely borrow GraalVM's technique for deciding when to enable terminal hyperlinks.
What about CVSS2 vs CVSS3 vs CVSS4?
These are all different versions of severity scoring. For a summary report, I feel CVSS3 and CVSS4 are close enough to compare. CVSS2 omits the "Critical" and "None" severity levels, so it is less comparable, but for a summary report, I don't think it is problematic. We could include a footnote or indicator when a CVE score is CVSS2-based.
See #112
What about structured reports?
True, we are emitting more unstructured info to the terminal, and this is currently where structured reports also go. But we have an issue for this already, see #98.
What about suggestions?
Good question. Maybe we should summarize remediation suggestions as well?