clj-holmes / clj-watson

clojure deps SCA
Eclipse Public License 2.0
84 stars 9 forks source link

Consider Providing An at-a-glance Summary of Vulnerabilities #113

Open lread opened 3 months ago

lread commented 3 months ago

Broken out from #87.

Currently

There is no quick-to-digest summary of vulnerable dependencies. I think an at-a-glance summary is very helpful. Maybe you do too?

What do others do?

I looked at nvd-clojure and trivy for inspiration.

nvd-clojure uses colors to convey severity: image

trivy uses colors (but does not wholly rely on them), and summary counts image

Maybe we can mix ideas from the two to effectively.

Mockups

I've included the final 2-line summary from #87 to show how the summary table and the final summary work together.

Scanning clj-watson itself

We'll fix these up, but for now they are useful for my mockup!:

clojure -M:clj-watson scan -p deps.edn

image

Scanning vulnerable-deps.edn

Clj-watson includes and handy sample dep with lots of vulnerabilities:

clojure -M:clj-watson scan -p resources/vulnerable-deps.edn

image

Scanning when no vulnerabilities

Here's me scanning cljdoc, no summary table is emitted, only the final summary (see #87).

Dependencies Scanned: 211
Vulnerable Dependencies Found: 0

When should we show this summary?

Options:

  1. Never. Terrible idea. Unsubscribe.
  2. Treat it as a new report type. --output summary? But maybe you want the summary and the verbose stdout report. So maybe allow for multiple reports to be spit out?
  3. Add a new option to emit. Maybe --show-summary
  4. Add a new option to suppress. Maybe --no-show-summary
  5. Always emit at Assume everybody loves the summary and give no option to suppress.

Do Colors work in all terminals?

No, but we also lightly use colors elsewhere. I'd like to deal with the enabling/disabling of colors in a separate issue.

Would it be a good idea to use hyperlinks for CVEs?

Good question. I've seen terminal hyperlinks used to great effect in GraalVM native-image output. It would be pretty cool to click on a CVE to have it open the nvd.nist.gov page in your browser with all of its details.

But they are not supported across all terminals, so if we want to support these I'd open a separate issue. And we'd likely borrow GraalVM's technique for deciding when to enable terminal hyperlinks.

What about CVSS2 vs CVSS3 vs CVSS4?

These are all different versions of severity scoring. For a summary report, I feel CVSS3 and CVSS4 are close enough to compare. CVSS2 omits the "Critical" and "None" severity levels, so it is less comparable, but for a summary report, I don't think it is problematic. We could include a footnote or indicator when a CVE score is CVSS2-based.

See #112

What about structured reports?

True, we are emitting more unstructured info to the terminal, and this is currently where structured reports also go. But we have an issue for this already, see #98.

What about suggestions?

Good question. Maybe we should summarize remediation suggestions as well?

lread commented 3 months ago

I've slept on this one a bit, and feel it is quite close to being just another report --output type.

It is pretty and all, but do we really need it?

I think I'll wait to see if there more interest than just from me!

seancorfield commented 3 months ago

Since we have stdout and stdout-simple, perhaps this should be stdout-detailed or stdout-full or something?

lread commented 2 months ago

Or maybe stdout-pretty?

Since my brain first considered this a general summary, I might need to rethink this as a proper report.

Maybe allowing for multiple reports to spit out would make sense?

-o stdout-simple stdout-pretty

:o [stdout-simple stdout-pretty]

seancorfield commented 2 months ago

I don't have a strong opinion on this, but it feels more like "expanded summary information" than an actual "report" -- see my comment on #98 -- so I'm somewhat inclined to make this an opt-in --show-summary option.