feat: add report summary table (aquasecurity#8177)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>

Author: 2 people

docs/docs/configuration/reporting.md

@@ -51,6 +51,7 @@ trivy config [flags] DIR
       --skip-check-update                 skip fetching rego check updates
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
+      --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (summary,detailed) (default [summary,detailed])
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tf-vars strings                   specify paths to override the Terraform tfvars files

docs/docs/references/configuration/cli/trivy_config.md

@@ -30,8 +30,10 @@ trivy convert [flags] RESULT_JSON
   -o, --output string              output file name
       --output-plugin-arg string   [EXPERIMENTAL] output plugin arguments
       --report string              specify a report format for the output (all,summary) (default "all")
+      --scanners strings           List of scanners included when generating the json report. Used only for rendering the summary table. (vuln,misconfig,secret,license)
   -s, --severity strings           severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
       --show-suppressed            [EXPERIMENTAL] show suppressed vulnerabilities
+      --table-mode strings         [EXPERIMENTAL] tables that will be displayed in 'table' format (summary,detailed) (default [summary,detailed])
   -t, --template string            output template
 ```
 

docs/docs/references/configuration/cli/trivy_convert.md

@@ -92,6 +92,7 @@ trivy filesystem [flags] PATH
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
       --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
+      --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (summary,detailed) (default [summary,detailed])
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tf-vars strings                   specify paths to override the Terraform tfvars files

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -114,6 +114,7 @@ trivy image [flags] IMAGE_NAME
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
       --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
+      --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (summary,detailed) (default [summary,detailed])
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --token string                      for authentication in client/server mode

docs/docs/references/configuration/cli/trivy_image.md

@@ -90,6 +90,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
       --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
+      --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (summary,detailed) (default [summary,detailed])
       --tag string                        pass the tag name to be scanned
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules

docs/docs/references/configuration/cli/trivy_repository.md

@@ -93,6 +93,7 @@ trivy rootfs [flags] ROOTDIR
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
       --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
+      --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (summary,detailed) (default [summary,detailed])
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tf-vars strings                   specify paths to override the Terraform tfvars files

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -68,6 +68,7 @@ trivy sbom [flags] SBOM_PATH
       --skip-files strings             specify the files or glob patterns to skip
       --skip-java-db-update            skip updating Java index database
       --skip-vex-repo-update           [EXPERIMENTAL] Skip VEX Repository update
+      --table-mode strings             [EXPERIMENTAL] tables that will be displayed in 'table' format (summary,detailed) (default [summary,detailed])
   -t, --template string                output template
       --token string                   for authentication in client/server mode
       --token-header string            specify a header name for token in client/server mode (default "Trivy-Token")

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -81,6 +81,7 @@ trivy vm [flags] VM_IMAGE
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
       --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
+      --table-mode strings                [EXPERIMENTAL] tables that will be displayed in 'table' format (summary,detailed) (default [summary,detailed])
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --token string                      for authentication in client/server mode

docs/docs/references/configuration/cli/trivy_vm.md

@@ -553,6 +553,11 @@ severity:
  - HIGH
  - CRITICAL
 
+# Same as '--table-mode'
+table-mode:
+ - summary
+ - detailed
+
 # Same as '--template'
 template: ""
 

docs/docs/references/configuration/config-file.md

@@ -16,10 +16,6 @@
     }
   },
   "Results": [
-    {
-      "Target": "OS Packages",
-      "Class": "license"
-    },
     {
       "Target": "Java",
       "Class": "license",
@@ -30,6 +26,7 @@
           "PkgName": "org.eclipse.sisu:org.eclipse.sisu.plexus",
           "FilePath": "",
           "Name": "EPL-1.0",
+          "Text": "",
           "Confidence": 1,
           "Link": ""
         },
@@ -39,6 +36,7 @@
           "PkgName": "org.ow2.asm:asm",
           "FilePath": "",
           "Name": "BSD-3-Clause",
+          "Text": "",
           "Confidence": 1,
           "Link": ""
         },
@@ -48,18 +46,11 @@
           "PkgName": "org.slf4j:slf4j-api",
           "FilePath": "",
           "Name": "MIT License",
+          "Text": "",
           "Confidence": 1,
           "Link": ""
         }
       ]
-    },
-    {
-      "Target": "pom.xml",
-      "Class": "license"
-    },
-    {
-      "Target": "Loose File License(s)",
-      "Class": "license-file"
     }
   ]
 }

integration/testdata/license-cyclonedx.json.golden

@@ -520,6 +520,13 @@ func NewConvertCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		ReportFlagGroup: flag.NewReportFlagGroup(),
 	}
 
+	// To display the summary table, we need to enable scanners (to build columns).
+	// We can't get scanner information from the report (we don't include empty licenses and secrets in the report).
+	// So we need to ask the user to configure scanners (if needed).
+	convertFlags.ScanFlagGroup.Scanners = flag.ScannersFlag.Clone()
+	convertFlags.ScanFlagGroup.Scanners.Default = nil // disable default scanners
+	convertFlags.ScanFlagGroup.Scanners.Usage = "List of scanners included when generating the json report. Used only for rendering the summary table."
+
 	cmd := &cobra.Command{
 		Use:     "convert [flags] RESULT_JSON",
 		Aliases: []string{"conv"},
@@ -977,6 +984,7 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	}
 	reportFlagGroup.Compliance = compliance // override usage as the accepted values differ for each subcommand.
 	reportFlagGroup.ExitOnEOL = nil         // disable '--exit-on-eol'
+	reportFlagGroup.TableMode = nil         // disable '--table-mode'
 
 	formatFlag := flag.FormatFlag.Clone()
 	formatFlag.Values = xstrings.ToStringSlice([]types.Format{

pkg/commands/app.go

@@ -4,7 +4,9 @@ import (
 	"context"
 	"encoding/json"
 	"os"
+	"slices"
 
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy/pkg/commands/operation"
@@ -18,6 +20,7 @@ import (
 )
 
 func Run(ctx context.Context, opts flag.Options) (err error) {
+	logger := log.WithPrefix("convert")
 	ctx, cancel := context.WithTimeout(ctx, opts.Timeout)
 	defer cancel()
 
@@ -42,7 +45,14 @@ func Run(ctx context.Context, opts flag.Options) (err error) {
 		return xerrors.Errorf("unable to filter results: %w", err)
 	}
 
-	log.Debug("Writing report to output...")
+	if len(opts.Scanners) == 0 && opts.Format == types.FormatTable && slices.Contains(opts.TableModes, types.Summary) {
+		logger.Info("To display the summary table, enable the scanners used during JSON report generation.")
+		opts.TableModes = lo.Filter(opts.TableModes, func(mode types.TableMode, _ int) bool {
+			return mode != types.Summary
+		})
+	}
+
+	logger.Debug("Writing report to output...")
 	if err = report.Write(ctx, r, opts); err != nil {
 		return xerrors.Errorf("unable to write results: %w", err)
 	}

pkg/commands/convert/run.go

@@ -460,6 +460,7 @@ func (o *Options) ScanOpts() types.ScanOptions {
 		ImageConfigScanners: o.ImageConfigScanners, // this is valid only for 'image' subcommand
 		ScanRemovedPackages: o.ScanRemovedPkgs,     // this is valid only for 'image' subcommand
 		LicenseCategories:   o.LicenseCategories,
+		LicenseFull:         o.LicenseFull,
 		FilePatterns:        o.FilePatterns,
 		IncludeDevDeps:      o.IncludeDevDeps,
 		Distro:              o.Distro,

pkg/flag/options.go

@@ -109,6 +109,13 @@ var (
 		ConfigName: "scan.show-suppressed",
 		Usage:      "[EXPERIMENTAL] show suppressed vulnerabilities",
 	}
+	TableModeFlag = Flag[[]string]{
+		Name:       "table-mode",
+		ConfigName: "table-mode",
+		Default:    xstrings.ToStringSlice(types.SupportedTableModes),
+		Values:     xstrings.ToStringSlice(types.SupportedTableModes),
+		Usage:      "[EXPERIMENTAL] tables that will be displayed in 'table' format",
+	}
 )
 
 // ReportFlagGroup composes common printer flag structs
@@ -128,6 +135,7 @@ type ReportFlagGroup struct {
 	Severity        *Flag[[]string]
 	Compliance      *Flag[string]
 	ShowSuppressed  *Flag[bool]
+	TableMode       *Flag[[]string]
 }
 
 type ReportOptions struct {
@@ -145,6 +153,7 @@ type ReportOptions struct {
 	Severities       []dbTypes.Severity
 	Compliance       spec.ComplianceSpec
 	ShowSuppressed   bool
+	TableModes       []types.TableMode
 }
 
 func NewReportFlagGroup() *ReportFlagGroup {
@@ -163,6 +172,7 @@ func NewReportFlagGroup() *ReportFlagGroup {
 		Severity:        SeverityFlag.Clone(),
 		Compliance:      ComplianceFlag.Clone(),
 		ShowSuppressed:  ShowSuppressedFlag.Clone(),
+		TableMode:       TableModeFlag.Clone(),
 	}
 }
 
@@ -186,6 +196,7 @@ func (f *ReportFlagGroup) Flags() []Flagger {
 		f.Severity,
 		f.Compliance,
 		f.ShowSuppressed,
+		f.TableMode,
 	}
 }
 
@@ -198,6 +209,7 @@ func (f *ReportFlagGroup) ToOptions() (ReportOptions, error) {
 	template := f.Template.Value()
 	dependencyTree := f.DependencyTree.Value()
 	listAllPkgs := f.ListAllPkgs.Value()
+	tableModes := f.TableMode.Value()
 
 	if template != "" {
 		if format == "" {
@@ -227,6 +239,11 @@ func (f *ReportFlagGroup) ToOptions() (ReportOptions, error) {
 		}
 	}
 
+	// "--table-mode" option is available only with "--format table".
+	if viper.IsSet(TableModeFlag.ConfigName) && format != types.FormatTable {
+		return ReportOptions{}, xerrors.New(`"--table-mode" can be used only with "--format table".`)
+	}
+
 	cs, err := loadComplianceTypes(f.Compliance.Value())
 	if err != nil {
 		return ReportOptions{}, xerrors.Errorf("unable to load compliance spec: %w", err)
@@ -259,6 +276,7 @@ func (f *ReportFlagGroup) ToOptions() (ReportOptions, error) {
 		Severities:       toSeverity(f.Severity.Value()),
 		Compliance:       cs,
 		ShowSuppressed:   f.ShowSuppressed.Value(),
+		TableModes:       xstrings.ToTSlice[types.TableMode](tableModes),
 	}, nil
 }
 

pkg/flag/report_flags.go

@@ -13,6 +13,7 @@ import (
 	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/types"
+	xstrings "github.com/aquasecurity/trivy/pkg/x/strings"
 )
 
 func TestReportFlagGroup_ToOptions(t *testing.T) {
@@ -32,11 +33,13 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 		compliance       string
 		debug            bool
 		pkgTypes         string
+		tableModes       []string
 	}
 	tests := []struct {
 		name     string
 		fields   fields
 		want     flag.ReportOptions
+		wantErr  string
 		wantLogs []string
 	}{
 		{
@@ -160,6 +163,14 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 				Severities: []dbTypes.Severity{dbTypes.SeverityLow},
 			},
 		},
+		{
+			name: "invalid option combination: --table-modes with --format json",
+			fields: fields{
+				format:     "json",
+				tableModes: xstrings.ToStringSlice(types.SupportedTableModes),
+			},
+			wantErr: `"--table-mode" can be used only with "--format table".`,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -184,6 +195,7 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 			setValue(flag.OutputPluginArgFlag.ConfigName, tt.fields.outputPluginArgs)
 			setValue(flag.SeverityFlag.ConfigName, tt.fields.severities)
 			setValue(flag.ComplianceFlag.ConfigName, tt.fields.compliance)
+			setSliceValue(flag.TableModeFlag.ConfigName, tt.fields.tableModes)
 
 			// Assert options
 			f := &flag.ReportFlagGroup{
@@ -199,10 +211,15 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 				OutputPluginArg: flag.OutputPluginArgFlag.Clone(),
 				Severity:        flag.SeverityFlag.Clone(),
 				Compliance:      flag.ComplianceFlag.Clone(),
+				TableMode:       flag.TableModeFlag.Clone(),
 			}
 
 			got, err := f.ToOptions()
-			require.NoError(t, err)
+			if tt.wantErr != "" {
+				require.Contains(t, err.Error(), tt.wantErr)
+				return
+			}
+
 			assert.EqualExportedValuesf(t, tt.want, got, "ToOptions()")
 
 			// Assert log messages