The markdown format is not supported

ulrich commented 11 months ago

Hello Team,

I am testing with real pleasure the tool but when I tried some commands I figured out that the markdown format output doesn't seem to work on the last version.

Commands:

❯ docker scout cves --exit-code --ignore-base --only-fixed --only-severity critical,high --format sarif --output mega.sarif mega:1.5.0
    ✓ SBOM of image already cached, 282 packages indexed
    ✓ Ignoring packages and vulnerabilities from base image openjdk
    ✗ Detected 5 vulnerable packages with a total of 8 vulnerabilities
    ✓ Report written to mega.sarif

❯ docker scout cves --exit-code --ignore-base --only-fixed --only-severity critical,high --format packages --output mega.packages mega:1.5.0
    ✓ SBOM of image already cached, 282 packages indexed
    ✓ Ignoring packages and vulnerabilities from base image openjdk
    ✗ Detected 5 vulnerable packages with a total of 8 vulnerabilities
    ✓ Report written to mega.packages

❯ docker scout cves --exit-code --ignore-base --only-fixed --only-severity critical,high --format markdown --output mega.markdown mega:1.5.0

...
Learn More
  Read docker scout cli reference at https://docs.docker.com/engine/reference/commandline/scout/
ERROR   Status: please provide a valid format, Code: 1

Test version:

❯ docker scout version
version: 0.22.2 (go1.20.6 - linux/amd64)
git commit: 7e5413c2e22976e2de12c9889d2f7aa884c7fc7c

Maybe I missed something?

Ulrich

eunomie commented 11 months ago

Hi @ulrich , hope you're doing well and happy to see you there 👋

Let me check what's going wrong here and I'll come back to you.

eunomie commented 11 months ago

@ulrich: here is the v0.22.3 that should solve your issue: https://github.com/docker/scout-cli/releases/tag/v0.22.3

Just to note that the markdown output has been made with GH PR comments in mind, so the markdown contains a lot of html tags (collapsible content and more control over the tables).

See the example in the following comment.

Happy to take any feedback on it :-)

eunomie commented 11 months ago

:mag: Vulnerabilities of `/:***`

:package: Image Reference ***/***:***

digest	`sha256:13e688445ffc2ff7f5d1d6bc48f2d2a1bfead36131fbe609d7cb54c6b76aace8`
vulnerabilities
platform	linux/arm64
size	27 MB
packages	294

libssl3 3.1.0-r4 (apk)

pkg:apk/alpine/libssl3@3.1.0-r4?arch=aarch64&upstream=openssl&distro=alpine-3.18.0
```dockerfile # Dockerfile (1:1) FROM alpine:3.18 ```

Affected range	`<3.1.1-r0`
Fixed version	`3.1.1-r0`

Description

Affected range	`<3.1.1-r3`
Fixed version	`3.1.1-r3`

Description

Affected range	`<3.1.1-r2`
Fixed version	`3.1.1-r2`

Description

Affected range	`<3.1.2-r0`
Fixed version	`3.1.2-r0`

Description

semver 7.5.0 (npm)

pkg:npm/semver@7.5.0
```dockerfile # Dockerfile (3:3) RUN apk add --no-cache npm ```

Inefficient Regular Expression Complexity

Affected range	`>=7.0.0 <7.5.2`
Fixed version	`7.5.2`
CVSS Score	`5.3`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`

Description

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

ulrich commented 11 months ago

Nice job, it works as expected!

I continue the tests of Scout 👍

Have a good day Yves.

docker / scout-cli