From df6a059d476c5552e49a53422e027e57d1ab3496 Mon Sep 17 00:00:00 2001 From: mitchell Date: Tue, 24 Dec 2024 10:21:44 -0500 Subject: [PATCH] Generalized `state install` CVE report. Accurately listing all package names being checked would often result in a horrendously long notice. Also, now that `state install` allows multiple arguments, singular "Dependency" is not good grammar. --- internal/locale/locales/en-us.yaml | 10 +++++----- internal/runbits/cves/cves.go | 4 ++-- test/integration/package_int_test.go | 10 +++++----- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/internal/locale/locales/en-us.yaml b/internal/locale/locales/en-us.yaml index 2ee84b1c67..c304e1303c 100644 --- a/internal/locale/locales/en-us.yaml +++ b/internal/locale/locales/en-us.yaml @@ -1099,7 +1099,7 @@ progress_search: progress_platform_search: other: "• Searching for platform in the ActiveState Catalog" progress_cve_search: - other: "• Checking for vulnerabilities (CVEs) on [ACTIONABLE]{{.V0}}[/RESET] and its dependencies" + other: "• Checking for vulnerabilities (CVEs)" setup_runtime: other: "Setting Up Runtime" progress_solve: @@ -1138,13 +1138,13 @@ unstable_feature_banner: other: "[NOTICE]Beta Feature: This feature is still in beta and may be unstable.[/RESET]\n" warning_vulnerable: other: | - [ERROR]Warning: Dependency has {{.V0}} direct and {{.V1}} indirect known vulnerabilities (CVEs)[/RESET] + [ERROR]Warning: Found {{.V0}} direct and {{.V1}} indirect known vulnerabilities (CVEs)[/RESET] warning_vulnerable_indirectonly: other: | - [ERROR]Warning: Dependency has {{.V0}} indirect known vulnerabilities (CVEs)[/RESET] + [ERROR]Warning: Found {{.V0}} indirect known vulnerabilities (CVEs)[/RESET] warning_vulnerable_directonly: other: | - [ERROR]Warning: Dependency has {{.V0}} known vulnerabilities (CVEs)[/RESET] + [ERROR]Warning: Found {{.V0}} known vulnerabilities (CVEs)[/RESET] cve_critical: other: Critical cve_high: @@ -1159,7 +1159,7 @@ disable_prompting_vulnerabilities: other: To disable prompting for vulnerabilities run '[ACTIONABLE]state config set security.prompt.enabled false[/RESET]'. warning_vulnerable_short: other: | - [ERROR]Warning:[/RESET] Dependency has [ERROR]{{.V0}} known vulnerabilities (CVEs)[/RESET]. Severity: {{.V1}}. Run '[ACTIONABLE]state security[/RESET]' for more info. + [ERROR]Warning:[/RESET] Found [ERROR]{{.V0}} known vulnerabilities (CVEs)[/RESET]. Severity: {{.V1}}. Run '[ACTIONABLE]state security[/RESET]' for more info. prompt_continue_pkg_operation: other: | Do you want to continue installing this dependency despite its vulnerabilities? diff --git a/internal/runbits/cves/cves.go b/internal/runbits/cves/cves.go index ad7d19ff86..7275c7b3f2 100644 --- a/internal/runbits/cves/cves.go +++ b/internal/runbits/cves/cves.go @@ -77,8 +77,7 @@ func (c *CveReport) Report(newBuildPlan *buildplan.BuildPlan, oldBuildPlan *buil } } - names := changedRequirements(oldBuildPlan, newBuildPlan) - pg := output.StartSpinner(c.prime.Output(), locale.Tr("progress_cve_search", strings.Join(names, ", ")), constants.TerminalAnimationInterval) + pg := output.StartSpinner(c.prime.Output(), locale.T("progress_cve_search"), constants.TerminalAnimationInterval) ingredientVulnerabilities, err := model.FetchVulnerabilitiesForIngredients(c.prime.Auth(), ingredients) if err != nil { @@ -96,6 +95,7 @@ func (c *CveReport) Report(newBuildPlan *buildplan.BuildPlan, oldBuildPlan *buil pg.Stop(locale.T("progress_unsafe")) pg = nil + names := changedRequirements(oldBuildPlan, newBuildPlan) vulnerabilities := model.CombineVulnerabilities(ingredientVulnerabilities, names...) if c.prime.Prompt() == nil || !c.shouldPromptForSecurity(vulnerabilities) { diff --git a/test/integration/package_int_test.go b/test/integration/package_int_test.go index 60983fc0bd..bb3cb388e6 100644 --- a/test/integration/package_int_test.go +++ b/test/integration/package_int_test.go @@ -571,7 +571,7 @@ func (suite *PackageIntegrationTestSuite) TestCVE_NoPrompt() { // Note: this version has 2 direct vulnerabilities, and 3 indirect vulnerabilities, but since // we're not prompting, we're only showing a single count. cp = ts.Spawn("install", "urllib3@2.0.2") - cp.ExpectRe(`Warning: Dependency has .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt) + cp.ExpectRe(`Warning: Found .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt) cp.ExpectExitCode(0) } @@ -594,7 +594,7 @@ func (suite *PackageIntegrationTestSuite) TestCVE_Prompt() { cp.ExpectExitCode(0) cp = ts.Spawn("install", "urllib3@2.0.2", "--ts=2024-09-10T16:36:34.393Z") - cp.ExpectRe(`Warning: Dependency has .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt) + cp.ExpectRe(`Warning: Found .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt) cp.Expect("Do you want to continue") cp.SendLine("y") cp.ExpectExitCode(0) @@ -619,7 +619,7 @@ func (suite *PackageIntegrationTestSuite) TestCVE_NonInteractive() { cp.ExpectExitCode(0) cp = ts.Spawn("install", "urllib3@2.0.2", "--ts=2024-09-10T16:36:34.393Z", "--non-interactive") - cp.ExpectRe(`Warning: Dependency has .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt) + cp.ExpectRe(`Warning: Found .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt) cp.Expect("Aborting because State Tool is running in non-interactive mode") cp.ExpectNotExitCode(0) } @@ -643,7 +643,7 @@ func (suite *PackageIntegrationTestSuite) TestCVE_Force() { cp.ExpectExitCode(0) cp = ts.Spawn("install", "urllib3@2.0.2", "--ts=2024-09-10T16:36:34.393Z", "--force") - cp.ExpectRe(`Warning: Dependency has .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt) + cp.ExpectRe(`Warning: Found .* vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt) cp.Expect("Continuing because the '--force' flag is set") cp.ExpectExitCode(0) } @@ -664,7 +664,7 @@ func (suite *PackageIntegrationTestSuite) TestCVE_Indirect() { cp.ExpectExitCode(0) cp = ts.Spawn("install", "private/ActiveState-CLI-Testing/language/python/django_dep", "--ts=2024-09-10T16:36:34.393Z") - cp.ExpectRe(`Warning: Dependency has \d+ indirect known vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt) + cp.ExpectRe(`Warning: Found \d+ indirect known vulnerabilities`, e2e.RuntimeSolvingTimeoutOpt) cp.Expect("Do you want to continue") cp.SendLine("n") cp.ExpectExitCode(1)