feat: include file location in table output (#1199)

grype/presenter/internal/test_helpers.go

@@ -38,7 +38,7 @@ func GenerateAnalysis(t *testing.T, scheme SyftSource) (*sbom.SBOM, match.Matche
 
 	grypePackages := pkg.FromCollection(s.Artifacts.Packages, pkg.SynthesisConfig{})
 
-	matches := generateMatches(t, grypePackages[0], grypePackages[1])
+	matches := generateMatches(t, grypePackages[0], grypePackages[1], grypePackages[2])
 	context := generateContext(t, scheme)
 
 	return s, matches, grypePackages, context, models.NewMetadataMock(), nil, nil
@@ -55,7 +55,7 @@ func GenerateAnalysisWithIgnoredMatches(t *testing.T, scheme SyftSource) (match.
 
 	grypePackages := pkg.FromCollection(s.Artifacts.Packages, pkg.SynthesisConfig{})
 
-	matches := generateMatches(t, grypePackages[0], grypePackages[1])
+	matches := generateMatches(t, grypePackages[0], grypePackages[1], grypePackages[2])
 	ignoredMatches := generateIgnoredMatches(t, grypePackages[1])
 	context := generateContext(t, scheme)
 
@@ -75,7 +75,7 @@ func Redact(s []byte) []byte {
 	return s
 }
 
-func generateMatches(t *testing.T, p1, p2 pkg.Package) match.Matches {
+func generateMatches(t *testing.T, p1, p2, p3 pkg.Package) match.Matches {
 	t.Helper()
 
 	matches := []match.Match{
@@ -120,6 +120,21 @@ func generateMatches(t *testing.T, p1, p2 pkg.Package) match.Matches {
 					SearchedBy: map[string]interface{}{
 						"cpe": "somecpe",
 					},
+					Found: map[string]interface{}{"constraint": "somecpe"},
+				},
+			},
+		},
+		{
+			Vulnerability: vulnerability.Vulnerability{
+				ID:        "CVE-1999-0003",
+				Namespace: "source-3",
+			},
+			Package: p3,
+			Details: []match.Detail{
+				{
+					Type:       match.ExactIndirectMatch,
+					Matcher:    match.JavascriptMatcher,
+					SearchedBy: map[string]interface{}{"cpe": "somecpe"},
 					Found: map[string]interface{}{
 						"constraint": "somecpe",
 					},
@@ -218,6 +233,7 @@ func generateIgnoredMatches(t *testing.T, p pkg.Package) []match.IgnoredMatch {
 	}
 }
 
+//nolint:funlen
 func generatePackages(t *testing.T) []syftPkg.Package {
 	t.Helper()
 	epoch := 2
@@ -265,6 +281,27 @@ func generatePackages(t *testing.T) []syftPkg.Package {
 				syftPkg.NewLicense("Apache-2.0"),
 			),
 		},
+		{
+			Name:      "package-3",
+			Version:   "3.3.3",
+			Type:      syftPkg.NpmPkg,
+			Locations: file.NewLocationSet(file.NewVirtualLocation("/foo/bar/somefile-3.txt", "somefile-3.txt")),
+			CPEs: []cpe.CPE{
+				{
+					Attributes: cpe.Attributes{
+						Part:     "a",
+						Vendor:   "anchore",
+						Product:  "engine",
+						Version:  "3.3.3",
+						Language: "python",
+					},
+				},
+			},
+			Licenses: syftPkg.NewLicenseSet(
+				syftPkg.NewLicense("MIT"),
+				syftPkg.NewLicense("Apache-2.0"),
+			),
+		},
 	}
 
 	for i := range pkgs {

grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden

@@ -127,6 +127,69 @@
     "purl": "",
     "upstreams": []
    }
+  },
+  {
+   "vulnerability": {
+    "id": "CVE-1999-0003",
+    "dataSource": "",
+    "severity": "High",
+    "urls": [],
+    "description": "1999-03 description",
+    "cvss": [
+     {
+      "version": "3.0",
+      "vector": "vector",
+      "metrics": {
+       "baseScore": 1,
+       "exploitabilityScore": 2,
+       "impactScore": 3
+      },
+      "vendorMetadata": {
+       "BaseSeverity": "Low",
+       "Status": "verified"
+      }
+     }
+    ],
+    "fix": {
+     "versions": [],
+     "state": ""
+    },
+    "advisories": []
+   },
+   "relatedVulnerabilities": [],
+   "matchDetails": [
+    {
+     "type": "exact-indirect-match",
+     "matcher": "javascript-matcher",
+     "searchedBy": {
+      "cpe": "somecpe"
+     },
+     "found": {
+      "constraint": "somecpe"
+     }
+    }
+   ],
+   "artifact": {
+    "id": "f45d1ab14d63730d",
+    "name": "package-3",
+    "version": "3.3.3",
+    "type": "npm",
+    "locations": [
+     {
+      "path": "/foo/bar/somefile-3.txt"
+     }
+    ],
+    "language": "",
+    "licenses": [
+     "MIT",
+     "Apache-2.0"
+    ],
+    "cpes": [
+     "cpe:2.3:a:anchore:engine:3.3.3:*:*:python:*:*:*:*"
+    ],
+    "purl": "",
+    "upstreams": []
+   }
   }
  ],
  "source": {

grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden

@@ -127,6 +127,69 @@
     "purl": "",
     "upstreams": []
    }
+  },
+  {
+   "vulnerability": {
+    "id": "CVE-1999-0003",
+    "dataSource": "",
+    "severity": "High",
+    "urls": [],
+    "description": "1999-03 description",
+    "cvss": [
+     {
+      "version": "3.0",
+      "vector": "vector",
+      "metrics": {
+       "baseScore": 1,
+       "exploitabilityScore": 2,
+       "impactScore": 3
+      },
+      "vendorMetadata": {
+       "BaseSeverity": "Low",
+       "Status": "verified"
+      }
+     }
+    ],
+    "fix": {
+     "versions": [],
+     "state": ""
+    },
+    "advisories": []
+   },
+   "relatedVulnerabilities": [],
+   "matchDetails": [
+    {
+     "type": "exact-indirect-match",
+     "matcher": "javascript-matcher",
+     "searchedBy": {
+      "cpe": "somecpe"
+     },
+     "found": {
+      "constraint": "somecpe"
+     }
+    }
+   ],
+   "artifact": {
+    "id": "f45d1ab14d63730d",
+    "name": "package-3",
+    "version": "3.3.3",
+    "type": "npm",
+    "locations": [
+     {
+      "path": "/foo/bar/somefile-3.txt"
+     }
+    ],
+    "language": "",
+    "licenses": [
+     "MIT",
+     "Apache-2.0"
+    ],
+    "cpes": [
+     "cpe:2.3:a:anchore:engine:3.3.3:*:*:python:*:*:*:*"
+    ],
+    "purl": "",
+    "upstreams": []
+   }
   }
  ],
  "source": {

grype/presenter/models/document_test.go

@@ -31,14 +31,21 @@ func TestPackagesAreSorted(t *testing.T) {
 		Type:    syftPkg.DebPkg,
 	}
 
+	var pkg3 = pkg.Package{
+		ID:      "package-3-id",
+		Name:    "package-3",
+		Version: "3.3.3",
+		Type:    syftPkg.NpmPkg,
+	}
+
 	var match1 = match.Match{
 		Vulnerability: vulnerability.Vulnerability{
 			ID: "CVE-1999-0003",
 		},
-		Package: pkg1,
+		Package: pkg3,
 		Details: match.Details{
 			{
-				Type: match.ExactDirectMatch,
+				Type: match.ExactIndirectMatch,
 			},
 		},
 	}
@@ -47,7 +54,7 @@ func TestPackagesAreSorted(t *testing.T) {
 		Vulnerability: vulnerability.Vulnerability{
 			ID: "CVE-1999-0002",
 		},
-		Package: pkg1,
+		Package: pkg2,
 		Details: match.Details{
 			{
 				Type: match.ExactIndirectMatch,
@@ -70,7 +77,7 @@ func TestPackagesAreSorted(t *testing.T) {
 	matches := match.NewMatches()
 	matches.Add(match1, match2, match3)
 
-	packages := []pkg.Package{pkg1, pkg2}
+	packages := []pkg.Package{pkg1, pkg2, pkg3}
 
 	ctx := pkg.Context{
 		Source: &syftSource.Description{

grype/presenter/models/metadata_mock.go

@@ -15,6 +15,8 @@ type MockVendorMetadata struct {
 }
 
 // NewMetadataMock returns a new instance of MetadataMock.
+//
+//nolint:funlen
 func NewMetadataMock() *MetadataMock {
 	return &MetadataMock{
 		store: map[string]map[string]vulnerability.Metadata{
@@ -55,9 +57,24 @@ func NewMetadataMock() *MetadataMock {
 				},
 			},
 			"CVE-1999-0003": {
-				"source-1": {
+				"source-3": {
 					Description: "1999-03 description",
 					Severity:    "High",
+					Cvss: []vulnerability.Cvss{
+						{
+							Metrics: vulnerability.NewCvssMetrics(
+								1,
+								2,
+								3,
+							),
+							Vector:  "vector",
+							Version: "3.0",
+							VendorMetadata: MockVendorMetadata{
+								BaseSeverity: "Low",
+								Status:       "verified",
+							},
+						},
+					},
 				},
 			},
 			"CVE-1999-0004": {

grype/presenter/sarif/presenter_test.go

@@ -221,6 +221,7 @@ func TestToSarifReport(t *testing.T) {
 			locations: map[string]string{
 				"CVE-1999-0001-package-1": "/some/path/somefile-1.txt",
 				"CVE-1999-0002-package-2": "/some/path/somefile-2.txt",
+				"CVE-1999-0003-package-3": "/some/path/somefile-3.txt",
 			},
 		},
 		{
@@ -229,6 +230,7 @@ func TestToSarifReport(t *testing.T) {
 			locations: map[string]string{
 				"CVE-1999-0001-package-1": "image/somefile-1.txt",
 				"CVE-1999-0002-package-2": "image/somefile-2.txt",
+				"CVE-1999-0003-package-3": "image/somefile-3.txt",
 			},
 		},
 	}
@@ -260,11 +262,12 @@ func TestToSarifReport(t *testing.T) {
 
 			// Sorted by vulnID, pkg name, ...
 			run := report.Runs[0]
-			assert.Len(t, run.Tool.Driver.Rules, 2)
+			assert.Len(t, run.Tool.Driver.Rules, 3)
 			assert.Equal(t, "CVE-1999-0001-package-1", run.Tool.Driver.Rules[0].ID)
 			assert.Equal(t, "CVE-1999-0002-package-2", run.Tool.Driver.Rules[1].ID)
+			assert.Equal(t, "CVE-1999-0003-package-3", run.Tool.Driver.Rules[2].ID)
 
-			assert.Len(t, run.Results, 2)
+			assert.Len(t, run.Results, 3)
 			result := run.Results[0]
 			assert.Equal(t, "CVE-1999-0001-package-1", *result.RuleID)
 			assert.Len(t, result.Locations, 1)
@@ -284,6 +287,16 @@ func TestToSarifReport(t *testing.T) {
 				t.Fatalf("no expected location for %s", *result.RuleID)
 			}
 			assert.Equal(t, expectedLocation, *location.PhysicalLocation.ArtifactLocation.URI)
+
+			result = run.Results[2]
+			assert.Equal(t, "CVE-1999-0003-package-3", *result.RuleID)
+			assert.Len(t, result.Locations, 1)
+			location = result.Locations[0]
+			expectedLocation, ok = tc.locations[*result.RuleID]
+			if !ok {
+				t.Fatalf("no expected location for %s", *result.RuleID)
+			}
+			assert.Equal(t, expectedLocation, *location.PhysicalLocation.ArtifactLocation.URI)
 		})
 	}