Show summary markdown table on zero vulns

Author: Michael Long

entrypoint/entrypoint/orchestrator.py

@@ -381,7 +381,7 @@ def write_pkg_vuln_report_csv(args, criticals, highs, mediums, lows, others):
 def write_pkg_vuln_report_markdown(args, total_vulns, criticals, highs, mediums, lows, others):
     if int(total_vulns) == 0:
         logging.info(f"skipping package vulnerability markdown report because no vulnerabilities were detected")
-        return
+        return None
 
     with open(args.out_scan, "r") as f:
         inspector_scan = json.load(f)

entrypoint/entrypoint/pkg_vuln.py

@@ -421,9 +421,9 @@ def sort_vulns(vulns):
     return sorted_vulns
 
 
-def post_github_step_summary(markdown="null"):
-    if markdown == "null":
-        return
+def post_github_step_summary(markdown=None):
+    if markdown is None:
+        markdown = get_zero_vuln_summary_table()
 
     job_summary_file = "/tmp/inspector.md"
     if os.getenv('GITHUB_ACTIONS'):
@@ -456,3 +456,13 @@ def get_pkg_vulns(inspector_scan_vulns: dict):
         pkg_vulns.append(vuln)
 
     return pkg_vulns
+
+
+def get_zero_vuln_summary_table() -> str:
+    markdown = "## Vulnerability Counts by Severity\n\n"
+    markdown += "| Severity | Count |\n"
+    markdown += "|----------|-------|\n"
+    for severity in ["Critical", "High", "Medium", "Low", "Other"]:
+        markdown += f"| {severity} | 0 |\n"
+    markdown += "\n\n"
+    return markdown

entrypoint/tests/test_pkg_vuln.py

@@ -1,4 +1,5 @@
 import json
+import os
 import unittest
 
 from entrypoint import pkg_vuln
@@ -37,6 +38,24 @@ def test_vulns_to_obj(self):
                 vulns = pkg_vuln.vulns_to_obj(inspector_scan)
                 self.assertTrue(vulns != None)
 
+    def test_post_github_step_summary_no_vulns(self):
+
+        dst_markdown_with_zero_vulns = "/tmp/inspector.md"
+        cleanup_stale_markdown_report(dst_markdown_with_zero_vulns)
+
+        markdown_with_zero_vulns = None
+        pkg_vuln.post_github_step_summary(markdown_with_zero_vulns)
+
+        expected = pkg_vuln.get_zero_vuln_summary_table()
+        received = ""
+
+        with open(dst_markdown_with_zero_vulns, "r") as f:
+            received = f.read()
+
+        self.assertEqual(expected, received)
+
+        cleanup_stale_markdown_report(dst_markdown_with_zero_vulns)
+
 
 def get_scan_body(test_file):
     # test_file = "tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx.json"
@@ -47,5 +66,12 @@ def get_scan_body(test_file):
     return scan_body
 
 
+def cleanup_stale_markdown_report(path):
+    try:
+        os.remove(path)
+    except:
+        return
+
+
 if __name__ == '__main__':
     unittest.main()