diff --git a/README.md b/README.md index 445c871a..953bc4a5 100644 --- a/README.md +++ b/README.md @@ -136,6 +136,7 @@ The inputs `image`, `path`, and `sbom` are mutually exclusive to specify the sou | `only-fixed` | Specify whether to only report vulnerabilities that have a fix available. | `false` | | `add-cpes-if-none` | Specify whether to autogenerate missing CPEs. | `false` | | `by-cve` | Specify whether to orient results by CVE rather than GHSA. | `false` | +| `show-suppressed` | Specify whether to include suppressed (ignored) vulnerabilities in the results. | `false` | | `vex` | Specify a list of VEX documents to consider when producing scanning results. | `false` | | `cache-db` | Cache the Grype DB in GitHub action cache and restore before checking for updates | `false` | | `grype-version` | An optional Grype version to download, defaults to the pinned version in [GrypeVersion.js](GrypeVersion.js). | | diff --git a/action.js b/action.js index 4258b27c..29b535b0 100644 --- a/action.js +++ b/action.js @@ -132,6 +132,7 @@ async function run() { const onlyFixed = core.getInput("only-fixed") || "false"; const addCpesIfNone = core.getInput("add-cpes-if-none") || "false"; const byCve = core.getInput("by-cve") || "false"; + const showSuppressed = core.getInput("show-suppressed") || "false"; const vex = core.getInput("vex") || ""; const configFile = core.getInput("config") || ""; const cacheDb = core.getInput("cache-db") || "false"; @@ -145,6 +146,7 @@ async function run() { outputFormat, addCpesIfNone, byCve, + showSuppressed, vex, configFile, cacheDb, @@ -296,6 +298,7 @@ async function runScan({ outputFormat, addCpesIfNone, byCve, + showSuppressed, vex, configFile, cacheDb = "false", @@ -340,6 +343,7 @@ async function runScan({ onlyFixed = onlyFixed.toLowerCase() === "true"; addCpesIfNone = addCpesIfNone.toLowerCase() === "true"; byCve = byCve.toLowerCase() === "true"; + showSuppressed = showSuppressed.toLowerCase() === "true"; cacheDb = cacheDb.toLowerCase() === "true" && cache.isFeatureAvailable(); cmdArgs.push("-o", outputFormat); @@ -391,6 +395,7 @@ async function runScan({ core.debug("Only Fixed: " + onlyFixed); core.debug("Add Missing CPEs: " + addCpesIfNone); core.debug("Orient by CVE: " + byCve); + core.debug("Show Suppressed: " + showSuppressed); core.debug("Output Format: " + outputFormat); core.debug("Cache DB: " + cacheDb); @@ -410,6 +415,9 @@ async function runScan({ if (byCve === true) { cmdArgs.push("--by-cve"); } + if (showSuppressed === true) { + cmdArgs.push("--show-suppressed"); + } if (vex) { cmdArgs.push("--vex"); cmdArgs.push(vex); diff --git a/action.yml b/action.yml index 5fdd0142..709ecca5 100644 --- a/action.yml +++ b/action.yml @@ -40,6 +40,10 @@ inputs: description: "Specify whether to orient results by CVE rather than GHSA. Default is false." required: false default: "false" + show-suppressed: + description: "Specify whether to include suppressed (ignored) vulnerabilities in the results. Default is false." + required: false + default: "false" grype-version: description: "A specific version of Grype to install" required: false diff --git a/dist/index.js b/dist/index.js index 35c98213..74422a11 100644 --- a/dist/index.js +++ b/dist/index.js @@ -65028,6 +65028,7 @@ async function run() { const onlyFixed = getInput("only-fixed") || "false"; const addCpesIfNone = getInput("add-cpes-if-none") || "false"; const byCve = getInput("by-cve") || "false"; + const showSuppressed = getInput("show-suppressed") || "false"; const vex = getInput("vex") || ""; const configFile = getInput("config") || ""; const cacheDb = getInput("cache-db") || "false"; @@ -65041,6 +65042,7 @@ async function run() { outputFormat, addCpesIfNone, byCve, + showSuppressed, vex, configFile, cacheDb @@ -65161,6 +65163,7 @@ async function runScan({ outputFormat, addCpesIfNone, byCve, + showSuppressed, vex, configFile, cacheDb = "false" @@ -65199,6 +65202,7 @@ async function runScan({ onlyFixed = onlyFixed.toLowerCase() === "true"; addCpesIfNone = addCpesIfNone.toLowerCase() === "true"; byCve = byCve.toLowerCase() === "true"; + showSuppressed = showSuppressed.toLowerCase() === "true"; cacheDb = cacheDb.toLowerCase() === "true" && isFeatureAvailable(); cmdArgs.push("-o", outputFormat); if (!outputFile) { @@ -65234,6 +65238,7 @@ async function runScan({ debug("Only Fixed: " + onlyFixed); debug("Add Missing CPEs: " + addCpesIfNone); debug("Orient by CVE: " + byCve); + debug("Show Suppressed: " + showSuppressed); debug("Output Format: " + outputFormat); debug("Cache DB: " + cacheDb); debug("Creating options for GRYPE analyzer"); @@ -65250,6 +65255,9 @@ async function runScan({ if (byCve === true) { cmdArgs.push("--by-cve"); } + if (showSuppressed === true) { + cmdArgs.push("--show-suppressed"); + } if (vex) { cmdArgs.push("--vex"); cmdArgs.push(vex); diff --git a/tests/grype_command.test.js b/tests/grype_command.test.js index 7687c2e0..fe0f2abc 100644 --- a/tests/grype_command.test.js +++ b/tests/grype_command.test.js @@ -155,6 +155,31 @@ describe( ]); }); + it("shows suppressed vulnerabilities if requested", async () => { + const args = await mockRun({ + image: "asdf", + "fail-build": "false", + "output-file": "the-output-file", + "output-format": "json", + "severity-cutoff": "low", + "only-fixed": "false", + "add-cpes-if-none": "false", + "by-cve": "false", + "show-suppressed": "true", + }); + assert.deepEqual(args, [ + "-v", + "-o", + "json", + "--file", + "the-output-file", + "--fail-on", + "low", + "--show-suppressed", + "asdf", + ]); + }); + it("with path by cve", async () => { const args = await mockRun({ path: "asdf", diff --git a/tests/sarif_output.test.js b/tests/sarif_output.test.js index f19cd058..21a441d6 100644 --- a/tests/sarif_output.test.js +++ b/tests/sarif_output.test.js @@ -42,6 +42,7 @@ const testSource = async (source, vulnerabilities) => { onlyFixed: "false", addCpesIfNone: "false", byCve: "false", + showSuppressed: "false", }); // expect to get sarif output