search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.26k stars 364 forks source link

Optimise human readable output for narrow terminals #85

Closed idkw closed 1 year ago

idkw commented 1 year ago

When using the default textual output and the SOURCE path is long enough, the output is truncated.

All lines end with a and are truncated which make the output unusable because it misses the OSV URL entirely.

╭────────────────────────────────────────────────────┬───────────┬─────────────────────────┬───────────────────────────────────┬───────────────────────────── ≈
│ SOURCE                                             │ ECOSYSTEM │ AFFECTED PACKAGE        │ VERSION                           │ OSV URL (ID IN BOLD)         ≈
├────────────────────────────────────────────────────┼───────────┼─────────────────────────┼───────────────────────────────────┼───────────────────────────── ≈
│ xxxxx/xxxxx/node_modules/package-lock.json         │ npm       │ lodash                  │ 4.17.4                            │ https://osv.dev/vulnerabilit ≈
│ xxxxx/xxxxx/node_modules/package-lock.json         │ npm       │ lodash                  │ 4.17.4                            │ https://osv.dev/vulnerabilit ≈
│ xxxxx/xxxxx/node_modules/package-lock.json         │ npm       │ lodash                  │ 4.17.4                            │ https://osv.dev/vulnerabilit ≈
│ xxxxx/xxxxx/node_modules/package-lock.json         │ npm       │ lodash                  │ 4.17.4                            │ https://osv.dev/vulnerabilit ≈
│ xxxxx/xxxxx/node_modules/package-lock.json         │ npm       │ lodash                  │ 4.17.4                            │ https://osv.dev/vulnerabilit ≈
│ xxxxx/xxxxx/node_modules/package-lock.json         │ npm       │ lodash                  │ 4.17.4                            │ https://osv.dev/vulnerabilit ≈
│ xxxxx/xxxxx/node_modules/package-lock.json         │ npm       │ lodash                  │ 4.17.4                            │ https://osv.dev/vulnerabilit ≈
│

I know about the JSON output, but I'd like to have an untruncated textual output too because it is more readable.

oliverchang commented 1 year ago

Re-opening as #87 was a partial fix/mitigation.

oliverchang commented 1 year ago

Thanks for trying osv-scanner and opening this issue!

We've made some changes to mitigate this, and released https://github.com/google/osv-scanner/releases/tag/v1.0.2 which includes:

Most of our team is out for the rest of the year, but once we're back early next year we'll work on improving this further!

idkw commented 1 year ago

Thanks !

G-Rath commented 1 year ago

@oliverchang @another-rex this could be a good time to talk about supporting the output style of osv-detector as an alternative because that should be much better suited for narrow terminals:

Loaded the following OSV databases:
  Go (1003 vulnerabilities, including withdrawn - last updated Wed, 21 Dec 2022 18:22:46 GMT)

go.mod: found 8 packages
  Using config at .osv-detector.yaml (1 ignore)
  Using db Go (1003 vulnerabilities, including withdrawn - last updated Wed, 21 Dec 2022 18:22:46 GMT)

  golang.org/x/sys@0.0.0-20210630005230-0f9fa26af87c is affected by the following vulnerabilities:
    GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can...

  1 known vulnerability found in go.mod

what do you think?

another-rex commented 1 year ago

I do like how that looks, we can add a flag like e.g. --output-type=<table|text|json> for specifying what output type will be, though we still need to keep the --json flag for compatibility.

oliverchang commented 1 year ago

I believe there's no more remaining work here? (@another-rex please reopen if I'm wrong).