Merge pull request #135 from docker/add-group-issues-flag

Add support of Snyk --group-issues flag for json output

Author: glours

README.md

@@ -162,6 +162,56 @@ $ docker scan --json hello-world
 }
 ```
 
+In addition to the `--json` flag, you can use the `--group-issues` flag to display only once a vulnerability
+```console
+$ docker scan --json --group-issues docker-scan:e2e
+{
+    {
+      "title": "Improper Check for Dropped Privileges",
+      ...
+      "packageName": "bash",
+      "language": "linux",
+      "packageManager": "debian:10",
+      "description": "## Overview\nAn issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.\n\n## References\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200430-0003/)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-18276)\n- [GitHub Commit](https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff)\n- [MISC](http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html)\n- [MISC](https://www.youtube.com/watch?v=-wGtxJ8opa8)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-18276)\n",
+      "identifiers": {
+        "ALTERNATIVE": [],
+        "CVE": [
+          "CVE-2019-18276"
+        ],
+        "CWE": [
+          "CWE-273"
+        ]
+      },
+      "severity": "low",
+      "severityWithCritical": "low",
+      "cvssScore": 7.8,
+      "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F",
+      ...
+      "from": [
+        "docker-image|docker-scan@e2e",
+        "bash@5.0-4"
+      ],
+      "upgradePath": [],
+      "isUpgradable": false,
+      "isPatchable": false,
+      "name": "bash",
+      "version": "5.0-4"
+    },
+    ...
+    "summary": "880 vulnerable dependency paths",
+      "filesystemPolicy": false,
+      "filtered": {
+        "ignore": [],
+        "patch": []
+      },
+      "uniqueCount": 158,
+      "projectName": "docker-image|docker-scan",
+      "platform": "linux/amd64",
+      "path": "docker-scan:e2e"
+}
+```
+You can find all the sources of the vulnerability in the `from` section.
+
 If you want to see the dependency tree of your image, you can use the `--dependency-tree` flag, to display all the dependencies before the scan result
 ```console
 $ docker-image|99138c65ebc7 @ latest

cmd/docker-scan/main.go

@@ -70,6 +70,7 @@ type options struct {
 	forceOptIn     bool
 	forceOptOut    bool
 	severity       string
+	groupIssues    bool
 }
 
 func newScanCmd(ctx context.Context, dockerCli command.Cli) *cobra.Command {
@@ -99,6 +100,7 @@ func newScanCmd(ctx context.Context, dockerCli command.Cli) *cobra.Command {
 	cmd.Flags().BoolVar(&flags.forceOptIn, "accept-license", false, "Accept using a third party scanning provider")
 	cmd.Flags().BoolVar(&flags.forceOptOut, "reject-license", false, "Reject using a third party scanning provider")
 	cmd.Flags().StringVar(&flags.severity, "severity", "", "Only report vulnerabilities of provided level or higher (low|medium|high)")
+	cmd.Flags().BoolVar(&flags.groupIssues, "group-issues", false, "Aggregate duplicated vulnerabilities and group them to a single one (requires --json)")
 
 	return cmd
 }
@@ -116,6 +118,11 @@ func configureProvider(ctx context.Context, dockerCli command.Streams, flags opt
 	opts = append(opts, options...)
 	if flags.jsonFormat {
 		opts = append(opts, provider.WithJSON())
+		if flags.groupIssues {
+			opts = append(opts, provider.WithGroupIssues())
+		}
+	} else if flags.groupIssues {
+		return nil, fmt.Errorf("--json flag is mandatory to use --group-issues flag")
 	}
 	if flags.dockerFilePath != "" {
 		opts = append(opts, provider.WithDockerFile(flags.dockerFilePath))

e2e/scan_test.go

@@ -301,6 +301,44 @@ func TestScanWithSeverityBadValue(t *testing.T) {
 		Err:      "--severity takes only 'low', 'medium' or 'high' values"})
 }
 
+func TestScanWithJsonAndGroupIssues(t *testing.T) {
+	if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
+		t.Skip("Can't run on this ci platform (windows containers or no engine installed)")
+	}
+	_, cleanFunction := createSnykConfFile(t, os.Getenv("E2E_TEST_AUTH_TOKEN"))
+	defer cleanFunction()
+
+	cmd, configDir, cleanup := dockerCli.createTestCmd()
+	defer cleanup()
+
+	createScanConfigFile(t, configDir)
+
+	cmd.Command = dockerCli.Command("scan", "--accept-license", "--json", "--group-issues", ImageWithVulnerabilities)
+	output := icmd.RunCmd(cmd).Assert(t, icmd.Expected{ExitCode: 1}).Combined()
+	assert.Assert(t, strings.Contains(output, "vulnerable dependency paths")) // beginning of the dependency tree
+	assert.Assert(t, strings.Contains(output, `"from": [
+        [
+          "docker-image|alpine@3.10.0",`))
+}
+
+func TestScanWithGroupIssues(t *testing.T) {
+	if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
+		t.Skip("Can't run on this ci platform (windows containers or no engine installed)")
+	}
+	_, cleanFunction := createSnykConfFile(t, os.Getenv("E2E_TEST_AUTH_TOKEN"))
+	defer cleanFunction()
+
+	cmd, configDir, cleanup := dockerCli.createTestCmd()
+	defer cleanup()
+
+	createScanConfigFile(t, configDir)
+
+	cmd.Command = dockerCli.Command("scan", "--accept-license", "--group-issues", ImageBaseImageVulnerabilities)
+	icmd.RunCmd(cmd).Assert(t, icmd.Expected{
+		ExitCode: 1,
+		Err:      "--json flag is mandatory to use --group-issues flag"})
+}
+
 func createSnykConfFile(t *testing.T, token string) (*fs.Dir, func()) {
 	content := fmt.Sprintf(`{"api" : "%s"}`, token)
 	homeDir := fs.NewDir(t, t.Name(),

e2e/testdata/plugin-usage.golden

@@ -10,6 +10,8 @@ Options:
                           (requires --file)
   -f, --file string       Dockerfile associated with image, provides more
                           detailed results
+      --group-issues      Aggregate duplicated vulnerabilities and group
+                          them to a single one (requires --json)
       --json              Output results in JSON format
       --login             Authenticate to the scan provider using an
                           optional token (with --token), or web base

internal/provider/snyk.go

@@ -144,6 +144,14 @@ func WithSeverity(severity string) SnykProviderOps {
 	}
 }
 
+// WithGroupIssues groups same issues in a single one when using --json flag
+func WithGroupIssues() SnykProviderOps {
+	return func(provider *snykProvider) error {
+		provider.flags = append(provider.flags, "--group-issues")
+		return nil
+	}
+}
+
 func (s *snykProvider) Authenticate(token string) error {
 	if token != "" {
 		if _, err := uuid.Parse(token); err != nil {

vars.mk

@@ -1,5 +1,5 @@
 # Pinned Versions
-SNYK_DESKTOP_VERSION=1.424.4
+SNYK_DESKTOP_VERSION=1.432.0
 SNYK_USER_VERSION=1.425.0
 SNYK_OLD_VERSION=1.382.1
 GO_VERSION=1.15.0