add uti and digest

Author: mchmarny

.github/workflows/on-tag.yaml

@@ -1,4 +1,4 @@
-name: tag-cli
+name: tag-release
 on:
   push:
     tags:

.version

@@ -1 +1 @@
-v0.3.1
+v0.3.2

README.md

@@ -7,29 +7,61 @@
 
 # vulctl
 
-Vulnerability scanners export tool.
-
+Vulnerability scanners result processing tool. Generalizes vulnerability reports from common OSS scanners into a generic format which then can be used to compare data across scanners or persist in database. 
 
 ```shell
-vulctl import --source $image \
-              --file report.json \
-              --format snyk
-              --output results.json
+export image="docker.io/redis@sha256:7b83a0167532d4320a87246a815a134e19e31504d85e8e55f0bb5bb9edf70448"
 ```
 
 The currently supported scanners/formats include:
 
-* [grype](https://github.com/anchore/grype)
-
-  `grype --add-cpes-if-none -s AllLayers -o json --file report.json $image`
-
-* [snyk](https://github.com/snyk/cli)
+* [grype](https://github.com/anchore/grype) `grype --add-cpes-if-none -s AllLayers -o json --file report.json $image`
+* [snyk](https://github.com/snyk/cli) `snyk container test --app-vulns --json-file-output=report.json $image`
+* [trivy](https://github.com/aquasecurity/trivy) `trivy image --format json --output report.json $image`
 
-  `snyk container test --app-vulns --json-file-output=report.json $image`
+Then, to process the vulnerability report output from `grype`:
 
-* [trivy](https://github.com/aquasecurity/trivy)
+```shell
+vulctl --source $image --file report.json --format grype
+```
 
-  `trivy image --format json --output report.json $image`
+The resulting file or stdout output will look something like this:
+
+```json
+{
+  "uri": "https://docker.io/redis",
+  "digest": "sha256:7b83a0167532d4320a87246a815a134e19e31504d85e8e55f0bb5bb9edf70448",
+  "processed_at": "2023-04-01T21:53:11.616Z",
+  "record_count": 82,
+  "vulnerabilities": [
+    {
+      "id": "GHSA-vpvm-3wq2-2wvm",
+      "package": "github.com/opencontainers/runc",
+      "version": "v1.1.0",
+      "severity": "high",
+      "score": 7,
+      "fixed": true
+    },
+    {
+      "id": "CVE-2023-0466",
+      "package": "libssl1.1",
+      "version": "1.1.1n-0+deb11u4",
+      "severity": "unknown",
+      "score": 0,
+      "fixed": false
+    },
+    {
+      "id": "CVE-2022-1304",
+      "package": "e2fsprogs",
+      "version": "1.46.2-2",
+      "severity": "high",
+      "score": 6.8,
+      "fixed": false
+    },
+    ...
+  ]
+}
+```
 
 
 ## Installation 

internal/processor/input.go

@@ -2,6 +2,7 @@ package processor
 
 import (
 	"net/url"
+	"strings"
 
 	"github.com/pkg/errors"
 )
@@ -36,6 +37,9 @@ type Options struct {
 
 	// Quiet suppresses output
 	Quiet bool
+
+	uri    string
+	digest string
 }
 
 func (o *Options) validate() error {
@@ -52,6 +56,19 @@ func (o *Options) validate() error {
 	}
 	o.Source = u.String()
 
+	if strings.Contains(o.Source, "@") {
+		parts := strings.Split(o.Source, "@")
+		o.uri = parts[0]
+		o.digest = parts[1]
+	} else {
+		if strings.Contains(o.Source, ":") {
+			parts := strings.Split(o.Source, ":")
+			o.uri = parts[0]
+		} else {
+			o.uri = o.Source
+		}
+	}
+
 	if o.File == "" {
 		return ErrMissingPath
 	}

internal/processor/process.go

@@ -36,10 +36,10 @@ func Process(opt *Options) error {
 	log.Info().Msgf("found %d vulnerabilities", len(uniques))
 
 	scan := &data.Scan{
-		URI:             opt.Source,
-		Digest:          "",
-		PerformedAt:     time.Now().UTC(),
-		Count:           len(uniques),
+		URI:             opt.uri,
+		Digest:          opt.digest,
+		ProcessedAt:     time.Now().UTC(),
+		RecordCount:     len(uniques),
 		Vulnerabilities: uniques,
 	}
 
@@ -58,8 +58,6 @@ func output(in *Options, result *data.Scan) error {
 		return errors.New("vulnerabilities required")
 	}
 
-	log.Debug().Msgf("found: %d", result.Count)
-
 	// output to stdout
 	if in.Output == nil || *in.Output == "" {
 		je := json.NewEncoder(os.Stdout)

pkg/data/scan.go

@@ -6,7 +6,7 @@ import "time"
 type Scan struct {
 	URI             string           `json:"uri"`
 	Digest          string           `json:"digest"`
-	PerformedAt     time.Time        `json:"performed_at"`
+	ProcessedAt     time.Time        `json:"processed_at"`
+	RecordCount     int              `json:"record_count"`
 	Vulnerabilities []*Vulnerability `json:"vulnerabilities"`
-	Count           int              `json:"count"`
 }