Generalized state install CVE report.

Accurately listing all package names being checked would often result in a horrendously long notice. Also, now that `state install` allows multiple arguments, singular "Dependency" is not good grammar.
ActiveState · Dec 24, 2024 · 84cdc94 · 84cdc94
1 parent 41e44c1
commit 84cdc94
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 38 deletions.
diff --git a/internal/locale/locales/en-us.yaml b/internal/locale/locales/en-us.yaml
@@ -1099,7 +1099,7 @@ progress_search:
 progress_platform_search:
   other: "• Searching for platform in the ActiveState Catalog"
 progress_cve_search:
-  other: "• Checking for vulnerabilities (CVEs) on [ACTIONABLE]{{.V0}}[/RESET] and its dependencies"
+  other: "• Checking for vulnerabilities (CVEs)"
 setup_runtime:
   other: "Setting Up Runtime"
 progress_solve:
@@ -1138,13 +1138,13 @@ unstable_feature_banner:
   other: "[NOTICE]Beta Feature: This feature is still in beta and may be unstable.[/RESET]\n"
 warning_vulnerable:
   other: |
-    [ERROR]Warning: Dependency has {{.V0}} direct and {{.V1}} indirect known vulnerabilities (CVEs)[/RESET]
+    [ERROR]Warning: Found {{.V0}} direct and {{.V1}} indirect known vulnerabilities (CVEs)[/RESET]
 warning_vulnerable_indirectonly:
   other: |
-    [ERROR]Warning: Dependency has {{.V0}} indirect known vulnerabilities (CVEs)[/RESET]
+    [ERROR]Warning: Found {{.V0}} indirect known vulnerabilities (CVEs)[/RESET]
 warning_vulnerable_directonly:
   other: |
-    [ERROR]Warning: Dependency has {{.V0}} known vulnerabilities (CVEs)[/RESET]
+    [ERROR]Warning: Found {{.V0}} known vulnerabilities (CVEs)[/RESET]
 cve_critical:
   other: Critical
 cve_high:
@@ -1159,7 +1159,7 @@ disable_prompting_vulnerabilities:
   other: To disable prompting for vulnerabilities run '[ACTIONABLE]state config set security.prompt.enabled false[/RESET]'.
 warning_vulnerable_short:
   other: |
-    [ERROR]Warning:[/RESET] Dependency has [ERROR]{{.V0}} known vulnerabilities (CVEs)[/RESET]. Severity: {{.V1}}. Run '[ACTIONABLE]state security[/RESET]' for more info.
+    [ERROR]Warning:[/RESET] Found [ERROR]{{.V0}} known vulnerabilities (CVEs)[/RESET]. Severity: {{.V1}}. Run '[ACTIONABLE]state security[/RESET]' for more info.
 prompt_continue_pkg_operation:
   other: |
     Do you want to continue installing this dependency despite its vulnerabilities?

diff --git a/internal/runbits/cves/cves.go b/internal/runbits/cves/cves.go
@@ -53,13 +53,15 @@ func (c *CveReport) Report(newBuildPlan *buildplan.BuildPlan, oldBuildPlan *buil
 	}
 
 	var ingredients []*request.Ingredient
+	var names []string
 	for _, change := range changeset.Filter(buildplan.ArtifactAdded) {
 		for _, ing := range change.Artifact.Ingredients {
 			ingredients = append(ingredients, &request.Ingredient{
 				Namespace: ing.Namespace,
 				Name:      ing.Name,
 				Version:   ing.Version,
 			})
+			names = append(names, ing.Name)
 		}
 	}
 
@@ -74,11 +76,11 @@ func (c *CveReport) Report(newBuildPlan *buildplan.BuildPlan, oldBuildPlan *buil
 				Name:      ing.Name,
 				Version:   ing.Version,
 			})
+			names = append(names, ing.Name)
 		}
 	}
 
-	names := changedRequirements(oldBuildPlan, newBuildPlan)
-	pg := output.StartSpinner(c.prime.Output(), locale.Tr("progress_cve_search", strings.Join(names, ", ")), constants.TerminalAnimationInterval)
+	pg := output.StartSpinner(c.prime.Output(), locale.T("progress_cve_search"), constants.TerminalAnimationInterval)
 
 	ingredientVulnerabilities, err := model.FetchVulnerabilitiesForIngredients(c.prime.Auth(), ingredients)
 	if err != nil {
@@ -222,32 +224,6 @@ func (c *CveReport) summarizeCVEs(vulnerabilities model.VulnerableIngredientsByL
 	out.Print("")
 }
 
-func changedRequirements(oldBuildPlan *buildplan.BuildPlan, newBuildPlan *buildplan.BuildPlan) []string {
-	var names []string
-	var oldRequirements buildplan.Requirements
-	if oldBuildPlan != nil {
-		oldRequirements = oldBuildPlan.Requirements()
-	}
-	newRequirements := newBuildPlan.Requirements()
-
-	oldReqs := make(map[string]string)
-	for _, req := range oldRequirements {
-		oldReqs[qualifiedName(req)] = req.Ingredient.Version
-	}
-
-	for _, req := range newRequirements {
-		if req.Namespace == buildplan.NamespaceInternal {
-			continue
-		}
-		if version, exists := oldReqs[qualifiedName(req)]; exists && version == req.Ingredient.Version {
-			continue
-		}
-		names = append(names, req.Name)
-	}
-
-	return names
-}
-
 func qualifiedName(req *buildplan.Requirement) string {
 	if req.Namespace == "" {
 		return req.Name

diff --git a/test/integration/package_int_test.go b/test/integration/package_int_test.go
@@ -571,7 +571,7 @@ func (suite *PackageIntegrationTestSuite) TestCVE_NoPrompt() {
 	// Note: this version has 2 direct vulnerabilities, and 3 indirect vulnerabilities, but since
 	// we're not prompting, we're only showing a single count.
 	cp = ts.Spawn("install", "[email protected]")
-	cp.ExpectRe(`Warning: Dependency has .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt)
+	cp.ExpectRe(`Warning: Found .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt)
 	cp.ExpectExitCode(0)
 }
 
@@ -594,7 +594,7 @@ func (suite *PackageIntegrationTestSuite) TestCVE_Prompt() {
 	cp.ExpectExitCode(0)
 
 	cp = ts.Spawn("install", "[email protected]", "--ts=2024-09-10T16:36:34.393Z")
-	cp.ExpectRe(`Warning: Dependency has .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt)
+	cp.ExpectRe(`Warning: Found .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt)
 	cp.Expect("Do you want to continue")
 	cp.SendLine("y")
 	cp.ExpectExitCode(0)
@@ -619,7 +619,7 @@ func (suite *PackageIntegrationTestSuite) TestCVE_NonInteractive() {
 	cp.ExpectExitCode(0)
 
 	cp = ts.Spawn("install", "[email protected]", "--ts=2024-09-10T16:36:34.393Z", "--non-interactive")
-	cp.ExpectRe(`Warning: Dependency has .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt)
+	cp.ExpectRe(`Warning: Found .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt)
 	cp.Expect("Aborting because State Tool is running in non-interactive mode")
 	cp.ExpectNotExitCode(0)
 }
@@ -643,7 +643,7 @@ func (suite *PackageIntegrationTestSuite) TestCVE_Force() {
 	cp.ExpectExitCode(0)
 
 	cp = ts.Spawn("install", "[email protected]", "--ts=2024-09-10T16:36:34.393Z", "--force")
-	cp.ExpectRe(`Warning: Dependency has .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt)
+	cp.ExpectRe(`Warning: Found .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt)
 	cp.Expect("Continuing because the '--force' flag is set")
 	cp.ExpectExitCode(0)
 }
@@ -664,7 +664,7 @@ func (suite *PackageIntegrationTestSuite) TestCVE_Indirect() {
 	cp.ExpectExitCode(0)
 
 	cp = ts.Spawn("install", "private/ActiveState-CLI-Testing/language/python/django_dep", "--ts=2024-09-10T16:36:34.393Z")
-	cp.ExpectRe(`Warning: Dependency has \d+ indirect known vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt)
+	cp.ExpectRe(`Warning: Found \d+ indirect known vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt)
 	cp.Expect("Do you want to continue")
 	cp.SendLine("n")
 	cp.ExpectExitCode(1)