@@ -155,7 +155,9 @@ jobs:
155155 source results/last_build.env
156156 cat results/last_build.env
157157 echo "BUILT_PACKAGE=${pkg_ident}" >> $GITHUB_ENV
158+ echo "BUILT_PKG_PATH=/hab/pkgs/${pkg_ident}" >> $GITHUB_ENV
158159 echo "Built package: ${pkg_ident}"
160+ echo "Installed Path: /hab/pkgs/${pkg_ident}"
159161
160162 - name : Install Grype
161163 continue-on-error : true
@@ -208,25 +210,23 @@ jobs:
208210 # Use built package if available, otherwise use input package name
209211 if [ -n "${BUILT_PACKAGE}" ]; then
210212 SCAN_PACKAGE="${BUILT_PACKAGE}"
211- PKG_PATH="/hab/pkgs/${SCAN_PACKAGE}"
213+ # PKG_PATH="/hab/pkgs/${SCAN_PACKAGE}"
214+ PKG_PATH="${BUILT_PKG_PATH}"
212215 else
213216 SCAN_PACKAGE="${{ inputs.hab_origin }}/${{ inputs.hab_package }}"
214217 PKG_PATH=$(hab pkg path ${SCAN_PACKAGE})
215218 fi
216219
217220 echo "Scanning package at: ${PKG_PATH}"
218221
219- # Run grype scan (display in logs)
220- grype dir:$PKG_PATH --name ${SCAN_PACKAGE}
221-
222222 # Save results to files
223223 OUTPUT_FILE="grype-results-linux-${SCAN_PACKAGE}.txt"
224224 OUTPUT_FILE="${OUTPUT_FILE//\//-}"
225- grype dir:$PKG_PATH --name ${SCAN_PACKAGE} > $OUTPUT_FILE
225+ grype dir:$PKG_PATH --name ${SCAN_PACKAGE} --only-fixed --output table > $OUTPUT_FILE
226226
227227 JSON_FILE="grype-results-linux-${SCAN_PACKAGE}.json"
228228 JSON_FILE="${JSON_FILE//\//-}"
229- grype dir:$PKG_PATH --name ${SCAN_PACKAGE} --output json > $JSON_FILE
229+ grype dir:$PKG_PATH --name ${SCAN_PACKAGE} --only-fixed -- output json > $JSON_FILE
230230
231231 echo "OUTPUT_FILE=$OUTPUT_FILE" >> $GITHUB_ENV
232232 echo "JSON_FILE=$JSON_FILE" >> $GITHUB_ENV
@@ -335,8 +335,14 @@ jobs:
335335 if : ${{ inputs.build_package == true }}
336336 run : |
337337 . ./results/last_build.ps1
338+ cat ./results/last_build.ps1
339+ $PkgIdentPath = $pkg_ident -replace '/', '\'
340+ $RepoName = "${{ github.event.repository.name }}"
341+ $InstalledPath = "D:\hab\studios\a--${RepoName}--${RepoName}\hab\pkgs\$PkgIdentPath"
338342 echo "BUILT_PACKAGE=$pkg_ident" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
343+ echo "BUILT_PKG_PATH=$InstalledPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
339344 Write-Host "Built package: $pkg_ident"
345+ Write-Host "Installed Path: $InstalledPath"
340346
341347 - name : Install Grype (Windows)
342348 continue-on-error : true
@@ -352,6 +358,15 @@ jobs:
352358 echo "$grypeDir" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
353359
354360 & "$grypeDir\grype.exe" version
361+
362+ # Create grype config to ignore unfixable vulnerabilities
363+ @"
364+ match:
365+ exclude:
366+ - fix-state: wont-fix
367+ - fix-state: not-fixed
368+ - fix-state: unknown
369+ "@ | Out-File -FilePath ".grype.yaml" -Encoding utf8
355370
356371 - name : Generate Artifact Name
357372 run : |
@@ -393,25 +408,23 @@ jobs:
393408 # Use built package if available, otherwise use input package name
394409 if ($env:BUILT_PACKAGE) {
395410 $ScanPackage = $env:BUILT_PACKAGE
396- $PkgPath = "D:\\hab\\studios\\a--${{ inputs.hab_package }}--${{ inputs.hab_package }}\/hab/pkgs/${ScanPackage}"
411+ # $PkgPath = "D:\\hab\\studios\\a--${{ inputs.hab_package }}--${{ inputs.hab_package }}\/hab/pkgs/${ScanPackage}"
412+ $PkgPath = $env:BUILT_PKG_PATH
397413 } else {
398414 $ScanPackage = "${{ inputs.hab_origin }}/${{ inputs.hab_package }}"
399415 $PkgPath = hab pkg path $ScanPackage
400416 }
401417
402418 Write-Host "Scanning package at: $PkgPath"
403419
404- # Run grype scan (display in logs)
405- grype dir:$PkgPath --name $ScanPackage
406-
407420 # Save results to files
408421 $OutputFile = "grype-results-windows-$ScanPackage.txt"
409422 $OutputFile = $OutputFile -replace '/', '-'
410- grype dir:$PkgPath --name $ScanPackage | Out-File -FilePath $OutputFile -Encoding utf8
423+ grype dir:$PkgPath --name $ScanPackage --only-fixed --output table | Out-File -FilePath $OutputFile -Encoding utf8
411424
412425 $JsonFile = "grype-results-windows-$ScanPackage.json"
413426 $JsonFile = $JsonFile -replace '/', '-'
414- grype dir:$PkgPath --name $ScanPackage --output json | Out-File -FilePath $JsonFile -Encoding utf8
427+ grype dir:$PkgPath --name $ScanPackage --only-fixed -- output json | Out-File -FilePath $JsonFile -Encoding utf8
415428
416429 echo "OUTPUT_FILE=$OutputFile" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
417430 echo "JSON_FILE=$JsonFile" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
@@ -522,12 +535,23 @@ jobs:
522535 run : |
523536 source results/last_build.env
524537 echo "BUILT_PACKAGE=${pkg_ident}" >> $GITHUB_ENV
538+ echo "BUILT_PKG_PATH=/hab/pkgs/${pkg_ident}" >> $GITHUB_ENV
525539 echo "Built package: ${pkg_ident}"
540+ echo "Installed Path: /hab/pkgs/${pkg_ident}"
526541
527542 - name : Install Grype
528543 continue-on-error : true
529544 run : |
530545 curl -sSfL https://get.anchore.io/grype | sh -s -- -b /usr/local/bin
546+
547+ # Create grype config to ignore unfixable vulnerabilities
548+ cat > .grype.yaml << 'EOF'
549+ match:
550+ exclude:
551+ - fix-state: wont-fix
552+ - fix-state: not-fixed
553+ - fix-state: unknown
554+ EOF
531555
532556 - name : Generate Artifact Name
533557 run : |
@@ -568,24 +592,23 @@ jobs:
568592 # Use built package if available, otherwise use input package name
569593 if [ -n "${BUILT_PACKAGE}" ]; then
570594 SCAN_PACKAGE="${BUILT_PACKAGE}"
595+ PKG_PATH="${BUILT_PKG_PATH}"
571596 else
572597 SCAN_PACKAGE="${{ inputs.hab_origin }}/${{ inputs.hab_package }}"
598+ PKG_PATH=$(hab pkg path ${SCAN_PACKAGE})
573599 fi
574600
575- PKG_PATH=$(hab pkg path ${SCAN_PACKAGE})
576601 echo "Scanning package at: ${PKG_PATH}"
577602
578- # Run grype scan (display in logs)
579- grype dir:$PKG_PATH --name ${SCAN_PACKAGE}
580603
581604 # Save results to files
582605 OUTPUT_FILE="grype-results-macos-${SCAN_PACKAGE}.txt"
583606 OUTPUT_FILE="${OUTPUT_FILE//\//-}"
584- grype dir:$PKG_PATH --name ${SCAN_PACKAGE} > $OUTPUT_FILE
607+ grype dir:$PKG_PATH --name ${SCAN_PACKAGE} --only-fixed --output table > $OUTPUT_FILE
585608
586609 JSON_FILE="grype-results-macos-${SCAN_PACKAGE}.json"
587610 JSON_FILE="${JSON_FILE//\//-}"
588- grype dir:$PKG_PATH --name ${SCAN_PACKAGE} --output json > $JSON_FILE
611+ grype dir:$PKG_PATH --name ${SCAN_PACKAGE} --only-fixed -- output json > $JSON_FILE
589612
590613 echo "OUTPUT_FILE=$OUTPUT_FILE" >> $GITHUB_ENV
591614 echo "JSON_FILE=$JSON_FILE" >> $GITHUB_ENV
0 commit comments