Fix: [AEA-0000] - add more details to scan output (#21)

anthony-nhs · web-flow · commit 20fb1f797cb6 · 2024-10-09T09:19:36.000+01:00
* add more details to sbom

* better error reporting
diff --git a/check-sbom-issues-against-ignores.sh b/check-sbom-issues-against-ignores.sh
@@ -23,27 +23,41 @@ CRITICAL_FOUND=false
 # Loop through vulnerabilities in the scan results
 while IFS= read -r MATCH; do
   VULN_ID=$(echo "$MATCH" | jq -r '.vulnerability.id')
+  DESCRIPTION=$(echo "$MATCH" | jq -r '.vulnerability.description')
+  DATASOURCE=$(echo "$MATCH" | jq -r '.vulnerability.dataSource')
 
   # Check if the vulnerability ID is in the ignored list
   FOUND=false
   for IGNORED in "${IGNORED_ISSUES[@]}"; do
     if [[ "$IGNORED" == "$VULN_ID" ]]; then
       FOUND=true
+      echo
+      echo "***************************"
       echo "Warning: Ignored vulnerability found: $VULN_ID"
+      echo "Warning: Description: $DESCRIPTION"
+      echo "Warning: dataSource: $DATASOURCE"
+      echo "***************************"
       break
     fi
   done
 
   # If the vulnerability is not found in the ignored list, mark critical as found
   if [[ "$FOUND" == false ]]; then
+    echo
+    echo "***************************"
     echo "Error: Critical vulnerability found that is not in the ignore list: $VULN_ID"
+    echo "Error: Description: $DESCRIPTION"
+    echo "Error: dataSource: $DATASOURCE"
+    echo "***************************"
     CRITICAL_FOUND=true
   fi
 done < <(jq -c '.matches[] | select(.vulnerability.severity == "Critical")' "$SCAN_RESULTS_FILE")
 
 # Exit with error if critical vulnerability is found
 if [[ "$CRITICAL_FOUND" == true ]]; then
   echo "ERROR: Address the critical vulnerabilities before proceeding."
+  echo "To add this to an ignore list, add the vulnerability to ignored_security_issues.json"
+  echo "See https://github.com/NHSDigital/eps-action-sbom for more details"
   exit 1
 fi
 
