rework zero vuln report

Author: Michael Long

entrypoint/entrypoint/orchestrator.py

@@ -60,7 +60,7 @@ def post_dockerfile_step_summary(args, total_vulns):
             with open(args.out_dockerfile_scan_md, "r") as f:
                 dockerfile_markdown = f.read()
         except Exception as e:
-            logging.debug(e) # can be spammy, so set as debug log
+            logging.debug(e)  # can be spammy, so set as debug log
             return
 
         if not dockerfile_markdown:
@@ -379,10 +379,6 @@ def write_pkg_vuln_report_csv(args, criticals, highs, mediums, lows, others):
 
 
 def write_pkg_vuln_report_markdown(args, total_vulns, criticals, highs, mediums, lows, others):
-    if int(total_vulns) == 0:
-        logging.info(f"skipping package vulnerability markdown report because no vulnerabilities were detected")
-        return None
-
     with open(args.out_scan, "r") as f:
         inspector_scan = json.load(f)
         vulns = pkg_vuln.vulns_to_obj(inspector_scan)

entrypoint/entrypoint/pkg_vuln.py

@@ -339,16 +339,16 @@ def to_markdown(vulns,
     markdown += f"| Other    | {others}|\n"
     markdown += "\n\n"
 
+    if not vulns:
+        markdown += ":green_circle: Your resource was scanned with Amazon Inspector and no vulnerabilities were detected."
+        markdown += "\n\n"
+        return markdown
+
     # create vulnerability details table
     markdown += "## Vulnerability Findings\n\n"
-
     markdown += "| ID | Severity | [CVSS](https://www.first.org/cvss/) | Installed Package ([PURL](https://github.com/package-url/purl-spec/tree/master?tab=readme-ov-file#purl)) | Fixed Package | Path | [EPSS](https://www.first.org/epss/) | Exploit Available | Exploit Last Seen | CWEs |\n"
     markdown += "|----------|-------|-------|-------|-------|-------|-------|-------|-------|-------|\n"
 
-    if not vulns:
-        markdown += "\n\n"
-        return markdown
-
     # sort vulns by CVSS score
     vulns = sort_vulns(vulns)
 
@@ -421,10 +421,7 @@ def sort_vulns(vulns):
     return sorted_vulns
 
 
-def post_github_step_summary(markdown=None):
-    if markdown is None:
-        markdown = get_zero_vuln_summary_table()
-
+def post_github_step_summary(markdown):
     job_summary_file = "/tmp/inspector.md"
     if os.getenv('GITHUB_ACTIONS'):
         job_summary_file = os.environ["GITHUB_STEP_SUMMARY"]
@@ -456,13 +453,3 @@ def get_pkg_vulns(inspector_scan_vulns: dict):
         pkg_vulns.append(vuln)
 
     return pkg_vulns
-
-
-def get_zero_vuln_summary_table() -> str:
-    markdown = "## Vulnerability Counts by Severity\n\n"
-    markdown += "| Severity | Count |\n"
-    markdown += "|----------|-------|\n"
-    for severity in ["Critical", "High", "Medium", "Low", "Other"]:
-        markdown += f"| {severity} | 0 |\n"
-    markdown += "\n\n"
-    return markdown

entrypoint/tests/test_pkg_vuln.py

@@ -40,21 +40,29 @@ def test_vulns_to_obj(self):
 
     def test_post_github_step_summary_no_vulns(self):
 
-        dst_markdown_with_zero_vulns = "/tmp/inspector.md"
-        cleanup_stale_markdown_report(dst_markdown_with_zero_vulns)
-
-        markdown_with_zero_vulns = None
-        pkg_vuln.post_github_step_summary(markdown_with_zero_vulns)
-
-        expected = pkg_vuln.get_zero_vuln_summary_table()
-        received = ""
-
-        with open(dst_markdown_with_zero_vulns, "r") as f:
-            received = f.read()
-
-        self.assertEqual(expected, received)
-
-        cleanup_stale_markdown_report(dst_markdown_with_zero_vulns)
+        markdown_dst_path = "/tmp/inspector.md"
+        cleanup_stale_markdown_report(markdown_dst_path)
+
+        zero_vuln_summary_md = pkg_vuln.to_markdown(vulns=None,
+                                                    artifact_name="test_image:latest",
+                                                    artifact_type="container",
+                                                    artifact_hash="null",
+                                                    build_id="null",
+                                                    criticals="0",
+                                                    highs="0",
+                                                    mediums="0",
+                                                    lows="0",
+                                                    others="0")
+
+        expected_list = ["| Critical | 0|",
+                         "| High     | 0|",
+                         "| Medium   | 0|",
+                         "| Low      | 0|",
+                         "| Other    | 0|",
+                         ]
+        for expected in expected_list:
+            self.assertIn(expected, zero_vuln_summary_md)
+        cleanup_stale_markdown_report(markdown_dst_path)
 
 
 def get_scan_body(test_file):