Exit code handling (#165)

* Updates dependencies
* Flags added, return codes on os.Exit
* Filtering done implemented
* Adds more test coverage
* Fixes snyk test failures
* Changes to OSV API handling
* Fixes issue with OSV provider API call
* Fixes workflow for go 1.21
* Removes stale SBOM

.github/workflows/go-quality.yml

@@ -11,7 +11,7 @@ jobs:
         name: Setup Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: '1.21'
       - 
         name: Install Dependencies
         run: |

.github/workflows/release.yml

@@ -21,7 +21,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: '1.21'
           check-latest: true
       - run: go version
       - 

.hookz.yaml

@@ -1,10 +1,10 @@
   version: 2.4.0
   sources:
-    - source: github.com/anchore/syft/cmd/syft@latest
     - source: github.com/devops-kung-fu/hinge@latest
     - source: github.com/kisielk/errcheck@latest      
     - source: honnef.co/go/tools/cmd/staticcheck@latest
     - source: github.com/fzipp/gocyclo/cmd/gocyclo@latest
+    - source: golang.org/x/vuln/cmd/govulncheck@latest
   hooks:
     - type: pre-commit
       actions:
@@ -26,6 +26,9 @@
         - name: "errcheck: Ensure that errors are checked"
           exec: errcheck
           args: ["-ignoretests", "./..."]
+        - name: "govulncheck: Check for vulnerabilities"
+          exec: govulncheck
+          args: ["./..."]
         - name: "gocyclo: Check cyclomatic complexities"
           exec: gocyclo
           args: ["-over", "13", "."]
@@ -41,11 +44,6 @@
         - name: "go: Test coverage"
           exec: go
           args: ["tool", "cover", "-func=coverage.out"]
-        # - name: "syft: Generate a Software Bill of Materials (SBoM)"
-        #   script: "
-        #     #!/bin/bash \n
-        #     syft . -o cyclonedx-json=sbom/bomber.cyclonedx.json &> /dev/null \n
-        #     "
         - name: "git: Add all changed files during the pre-commit stage"
           exec: git
           args: ["add", "."]

.vscode/launch.json

@@ -32,12 +32,12 @@
             "args": ["--provider=ossindex", "--debug=true", "scan", "./_TESTDATA_/sbom"]
         },
         {
-            "name": "Debug File (OSS Index - juiceshop)",
+            "name": "Debug File (OSS Index - juiceshop, fail = moderate)",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["--debug=true", "--provider=ossindex", "scan", "./_TESTDATA_/sbom/juiceshop.cyclonedx.json"]
+            "args": ["--debug=true", "--fail=critical", "--provider=ossindex", "scan", "./_TESTDATA_/sbom/juiceshop.cyclonedx.json"]
         },
         {
             "name": "Debug File (OSV- cargo-valid)",

cmd/scan.go

@@ -29,6 +29,7 @@ var (
 	renderer        models.Renderer
 	provider        models.Provider
 	ignoreFile      string
+	failSeverity    string
 
 	// summary, detailed bool
 	scanCmd = &cobra.Command{
@@ -99,6 +100,20 @@ var (
 					}
 				}
 
+				//Get rid of the packages that have a vulnerability lower than its fail severity
+				if failSeverity != "" {
+					for i, p := range response {
+						vulns := []models.Vulnerability{}
+						for _, v := range p.Vulnerabilities {
+							fs := int(lib.ParseFailSeverity(failSeverity))
+							vs := lib.ParseSeverity(v.Severity)
+							if vs >= fs {
+								vulns = append(vulns, v)
+							}
+						}
+						response[i].Vulnerabilities = vulns
+					}
+				}
 				for i, p := range response {
 					enrichedVulnerabilities, _ := enrichment.Enrich(p.Vulnerabilities)
 					response[i].Vulnerabilities = enrichedVulnerabilities
@@ -118,8 +133,7 @@ var (
 				}
 				vulnCount := 0
 				for _, r := range response {
-					vulns := len(r.Vulnerabilities)
-					vulnCount += vulns
+					vulnCount += len(r.Vulnerabilities)
 					for _, v := range r.Vulnerabilities {
 						lib.AdjustSummary(v.Severity, &severitySummary)
 					}
@@ -128,6 +142,10 @@ var (
 				if err = renderer.Render(results); err != nil {
 					log.Println(err)
 				}
+				if failSeverity != "" {
+					log.Printf("fail severity: %x\n", int(lib.ParseFailSeverity(failSeverity)))
+					os.Exit(int(lib.ParseFailSeverity(failSeverity)))
+				}
 
 			} else {
 				util.PrintInfo("No packages were detected. Nothing has been scanned.")
@@ -143,4 +161,5 @@ func init() {
 	scanCmd.PersistentFlags().StringVar(&credentials.Token, "token", "", "the API token for the provider being used.")
 	scanCmd.PersistentFlags().StringVar(&providerName, "provider", "osv", "the vulnerability provider (ossindex, osv).")
 	scanCmd.PersistentFlags().StringVar(&ignoreFile, "ignore-file", "", "an optional file containing CVEs to ignore when rendering output.")
+	scanCmd.PersistentFlags().StringVar(&failSeverity, "fail", "undefined", "anything above this severity will be returned with non-zero error code.")
 }

go.mod

@@ -1,48 +1,50 @@
 module github.com/devops-kung-fu/bomber
 
-go 1.20
+go 1.21
+
+toolchain go1.21.3
 
 require (
-	github.com/CycloneDX/cyclonedx-go v0.7.1
+	github.com/CycloneDX/cyclonedx-go v0.7.2
 	github.com/briandowns/spinner v1.23.0
-	github.com/devops-kung-fu/common v0.2.5
-	github.com/gookit/color v1.5.3
+	github.com/devops-kung-fu/common v0.2.6
+	github.com/gookit/color v1.5.4
 	github.com/jarcoal/httpmock v1.3.0
-	github.com/jedib0t/go-pretty/v6 v6.4.6
+	github.com/jedib0t/go-pretty/v6 v6.4.8
 	github.com/kirinlabs/HttpRequest v1.1.1
-	github.com/microcosm-cc/bluemonday v1.0.23
-	github.com/package-url/packageurl-go v0.1.0
+	github.com/microcosm-cc/bluemonday v1.0.26
+	github.com/package-url/packageurl-go v0.1.2
 	github.com/remeh/sizedwaitgroup v1.0.0
-	github.com/spf13/afero v1.9.5
+	github.com/spf13/afero v1.10.0
 	github.com/spf13/cobra v1.7.0
-	github.com/stretchr/testify v1.8.2
-	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
+	github.com/stretchr/testify v1.8.4
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 )
 
 require (
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/rogpeppe/go-internal v1.8.0 // indirect
 	golang.org/x/exp v0.0.0-20230202163644-54bba9f4231b // indirect
-	golang.org/x/term v0.7.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
 )
 
 require (
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fatih/color v1.15.0 // indirect
-	github.com/gomarkdown/markdown v0.0.0-20230322041520-c84983bdbf2a
+	github.com/gomarkdown/markdown v0.0.0-20230922112808-5421fefb8386
 	github.com/gorilla/css v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.18 // indirect
-	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	golang.org/x/net v0.9.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )