Pin Grype db for tests & remove Grype log output #120 (#119)

Signed-off-by: Keith Zantow <kzantow@gmail.com>
anchore · Sep 13, 2021 · 6d25cd4 · 6d25cd4
1 parent ef95973
commit 6d25cd4
Show file tree

Hide file tree

Showing 10 changed files with 294 additions and 70 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -36,9 +36,13 @@ jobs:
           for distro in alpine centos debian; do
             docker buildx imagetools inspect localhost:5000/match-coverage/$distro:latest
           done
+      - run: |
+          echo Downloading a pinned Grype DB for testing...
+          mkdir -p grype-db/3
+          curl -sL https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v3_2021-09-10T08:18:17Z.tar.gz | tar zxf - -C grype-db/3
       - run: npm ci
       - run: npm audit --production
-      - run: npm test
+      - run: GRYPE_DB_AUTO_UPDATE=false GRYPE_DB_CACHE_DIR=./grype-db npm test
 
   functional:
     runs-on: ubuntu-latest

diff --git a/.gitignore b/.gitignore
@@ -115,6 +115,9 @@ typings/
 /venv/*
 /tests/functional/__pycache__/*
 
+# grype db for tests
+/grype-db
+
 # Action temporary files
 results.sarif
 vulnerabilities.json
diff --git a/.jest/setEnvVars.js b/.jest/setEnvVars.js
@@ -1,2 +1,2 @@
-process.env['RUNNER_TOOL_CACHE'] = '/tmp/actions/cache';
-process.env['RUNNER_TEMP'] = '/tmp/actions/temp';
+process.env["RUNNER_TOOL_CACHE"] = "/tmp/actions/cache";
+process.env["RUNNER_TEMP"] = "/tmp/actions/temp";
diff --git a/README.md b/README.md
@@ -51,7 +51,7 @@ The simplest workflow for scanning a `localbuild/testimage` container:
     load: true
 
  - name: Scan image
-   uses: anchore/scan-action@v2
+   uses: anchore/scan-action@v3
    with:
      image: "localbuild/testimage:latest"
 ```
@@ -62,7 +62,7 @@ To scan a directory, add the following step:
 
 ```yaml
 - name: Scan current project
-  uses: anchore/scan-action@v2
+  uses: anchore/scan-action@v3
   with:
     path: "."
 ```
@@ -77,7 +77,7 @@ With a different severity level:
 
 ```yaml
 - name: Scan image
-  uses: anchore/scan-action@v2
+  uses: anchore/scan-action@v3
   with:
     image: "localbuild/testimage:latest"
     fail-build: true
@@ -88,7 +88,7 @@ Optionally, change the `fail-build` field to `false` to avoid failing the build
 
 ```yaml
 - name: Scan image
-  uses: anchore/scan-action@v2
+  uses: anchore/scan-action@v3
   with:
     image: "localbuild/testimage:latest"
     fail-build: false
@@ -127,7 +127,7 @@ jobs:
       - uses: actions/checkout@v2
       - name: Build the container image
         run: docker build . --file Dockerfile --tag localbuild/testimage:latest
-      - uses: anchore/scan-action@v2
+      - uses: anchore/scan-action@v3
         with:
           image: "localbuild/testimage:latest"
           fail-build: true
@@ -147,7 +147,7 @@ jobs:
       - uses: actions/checkout@v2
       - name: Build the Container image
         run: docker build . --file Dockerfile --tag localbuild/testimage:latest
-      - uses: anchore/scan-action@v2
+      - uses: anchore/scan-action@v3
         id: scan
         with:
           image: "localbuild/testimage:latest"

diff --git a/dist/index.js b/dist/index.js
@@ -9,6 +9,7 @@ const cache = __webpack_require__(784);
 const core = __webpack_require__(186);
 const { exec } = __webpack_require__(514);
 const fs = __webpack_require__(747);
+const stream = __webpack_require__(413);
 
 const grypeBinary = "grype";
 const grypeVersion = "0.17.0";
@@ -502,21 +503,36 @@ async function runScan({
     cmdArgs.push(severityCutoff.toLowerCase());
   }
   cmdArgs.push(source);
-  const cmdOpts = {};
-  cmdOpts.listeners = {
-    stdout: (data = Buffer) => {
-      cmdOutput += data.toString();
+
+  // This /dev/null writable stream is required so the entire Grype output
+  // is not written to the GitHub action log. the listener below
+  // will actually capture the output
+  const outStream = new stream.Writable({
+    write(buffer, encoding, next) {
+      next();
     },
-  };
+  });
 
-  cmdOpts.ignoreReturnCode = true;
+  const cmdOpts = {
+    ignoreReturnCode: true,
+    outStream,
+    listeners: {
+      stdout: (data = Buffer) => {
+        cmdOutput += data.toString();
+      },
+    },
+  };
 
   core.info("\nAnalyzing: " + source);
 
-  const exitCode = await core.group("Grype Output", () => {
-    core.info(`Executing: ${cmd} ` + cmdArgs.join(" "));
-    return exec(cmd, cmdArgs, cmdOpts);
-  });
+  core.info(`Executing: ${cmd} ` + cmdArgs.join(" "));
+
+  const exitCode = await exec(cmd, cmdArgs, cmdOpts);
+
+  if (core.isDebug()) {
+    core.debug("Grype output:");
+    core.debug(cmdOutput);
+  }
 
   let grypeVulnerabilities = JSON.parse(cmdOutput);
 

diff --git a/index.js b/index.js
@@ -2,6 +2,7 @@ const cache = require("@actions/tool-cache");
 const core = require("@actions/core");
 const { exec } = require("@actions/exec");
 const fs = require("fs");
+const stream = require("stream");
 
 const grypeBinary = "grype";
 const grypeVersion = "0.17.0";
@@ -495,21 +496,36 @@ async function runScan({
     cmdArgs.push(severityCutoff.toLowerCase());
   }
   cmdArgs.push(source);
-  const cmdOpts = {};
-  cmdOpts.listeners = {
-    stdout: (data = Buffer) => {
-      cmdOutput += data.toString();
+
+  // This /dev/null writable stream is required so the entire Grype output
+  // is not written to the GitHub action log. the listener below
+  // will actually capture the output
+  const outStream = new stream.Writable({
+    write(buffer, encoding, next) {
+      next();
     },
-  };
+  });
 
-  cmdOpts.ignoreReturnCode = true;
+  const cmdOpts = {
+    ignoreReturnCode: true,
+    outStream,
+    listeners: {
+      stdout: (data = Buffer) => {
+        cmdOutput += data.toString();
+      },
+    },
+  };
 
   core.info("\nAnalyzing: " + source);
 
-  const exitCode = await core.group("Grype Output", () => {
-    core.info(`Executing: ${cmd} ` + cmdArgs.join(" "));
-    return exec(cmd, cmdArgs, cmdOpts);
-  });
+  core.info(`Executing: ${cmd} ` + cmdArgs.join(" "));
+
+  const exitCode = await exec(cmd, cmdArgs, cmdOpts);
+
+  if (core.isDebug()) {
+    core.debug("Grype output:");
+    core.debug(cmdOutput);
+  }
 
   let grypeVulnerabilities = JSON.parse(cmdOutput);
 

diff --git a/jest.config.js b/jest.config.js
@@ -2,5 +2,4 @@ module.exports = {
   setupFiles: ["<rootDir>/.jest/setEnvVars.js"],
   verbose: true,
   testPathIgnorePatterns: ["action.test.js"],
-  reporters: [["jest-summary-reporter", { failuresOnly: false }]],
 };
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -10,6 +10,7 @@
   "scripts": {
     "lint": "eslint index.js",
     "test": "eslint index.js && jest",
+    "update-snapshots": "eslint index.js && jest --updateSnapshot",
     "build": "ncc build ./index.js",
     "precommit": "pretty-quick --staged && npm run build && git add dist/",
     "prettier": "prettier -w index.js"
@@ -40,7 +41,6 @@
     "eslint": "^6.8.0",
     "husky": "^3.1.0",
     "jest": "^25.5.4",
-    "jest-summary-reporter": "0.0.2",
     "prettier": "^2.3.2",
     "pretty-quick": "^3.1.1"
   }