feat: Improve jf scan summary for unsupported file types #415
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds warning for unsupported files and displays specific summary when only unsupported files are scanned. Avoids misleading 'No vulnerable components' message in this case.
|
All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, when jf scan is run on a file whose type is not supported by the Xray indexer (e.g., a plain .txt or .exe file), the command completes successfully but prints the summary message: ✨ No vulnerable components were found ✨. This is misleading for users, as it implies the file was scanned and found clean, rather than indicating it wasn't scanned at all due to incompatibility.
Solution:
This PR implements the following changes to provide clearer feedback in this scenario:
Added Warning: A log.Warn message is now printed immediately when the indexer skips a file due to an unsupported type (exit code 3), explicitly informing the user about that specific file. (Change in commands/scan/scan.go)
Track Scannable State: A new boolean field HasScannableComponents was added to the results.SecurityCommandResults struct to track whether at least one file in the scan input was successfully indexed and processed (i.e., was of a supported type). (Change in utils/results/results.go)
Set Tracking Flag: Logic was added at the end of the RunScan function to set the HasScannableComponents flag based on whether any TargetResults had their Technology identified. (Change in commands/scan/scan.go)
Conditional Summary: The output logic (in utils/results/output/resultwriter.go) was modified. Before printing the final summary, it now checks:
If zero vulnerabilities were found AND the HasScannableComponents flag is false AND files were actually attempted, it prints a new, more accurate summary: ✨ Scan completed: No files of a supported type were found or scanned. ✨
Otherwise, it prints the original summary ("No vulnerable components found" or the vulnerability table).
Benefit:
This change significantly improves the user experience by:
Providing immediate feedback when a file is skipped due to its type.
Displaying a clear and accurate summary message when only unsupported files are scanned, preventing confusion.
Testing:
Verified locally by running the modified jf scan command against:
An unsupported file type (e.g., .txt, .exe): Confirmed the warning and the new summary message appear.
A supported file type with no vulnerabilities: Confirmed the standard "No vulnerable components" message appears.
A supported file type with vulnerabilities: Confirmed the vulnerability table appears correctly.