Sync 1.x to branch v1.3.0 (#124)

* replace scanner example (#84)

* Write CSV with no vulns (#86)

* reproducing issue - test 1

* resolve issue 85 - test 2

* test 3

* test fix

---------

Co-authored-by: Michael Long <mlongii@amazon.com>

* testing CSV with no vulns

* test against main branch

* Write Dockerfile CSV and Markdown on no vulns (#88)

Co-authored-by: Michael Long <mlongii@amazon.com>

* Set example workflows to main branch for testing

* Display 'no vulns found' for Dockerfiles (#92)

Co-authored-by: Michael Long <mlongii@amazon.com>

* Tweak dockerfile report (#93)

Co-authored-by: Michael Long <mlongii@amazon.com>

* Omit Dockerfile table on no vulns (#94)

Co-authored-by: Michael Long <mlongii@amazon.com>

* Updated workflows to v1.x - testing auto-updates (#96)

Co-authored-by: Michael Long <mlongii@amazon.com>

* update README (#97)

Co-authored-by: Michael Long <mlongii@amazon.com>

* Extend vulnerability severity providers (#98)

* Add severity providers: GHSA, GitLab

* Add severity providers: GHSA, GitLab

* Add REDHAT_CVE and UBUNTU_CVE providers

* rename GHSA to GITHUB

---------

Co-authored-by: Michael Long <mlongii@amazon.com>

* Add platform argument for container image scans (#102)

* add --platform support for multi-arch containers

* test multi-arch images on current branch

* test actions against sbomgen 1.5.1-beta

* fix --platform parsing error

* fix platform parsing bug

* test workflows on sbomgen latest (1.5.2)

* Validate --platform input

* Add more test cases, and revert workflow definitions

* fix typo in platform arg

---------

Co-authored-by: Michael Long <mlongii@amazon.com>

* Improve severity rating consistency (#112)

* fix severity rating mismatch

* temporarily add a test workflow

* Fix type issue: float provided, expected string

* Rename workflow / job name

* Add severity comparison logic

* Revise severity sorting and selection logic

* return default values on error

* skip EPSS ratings for severity column

* debugging unknown ratings

* fix ratings with unknown name

* Verify AMAZON_INSPECTOR renders correctly

* fix failing test

* temporarily disable failing tests

* pass unit test: test_parse_inspector_scan_result

* pass unit tests

* change '-f' to '--failfast' for clarity

* Remove unused type cast

* refactor csv test

* severity is rendered as 'other' not 'unknown'

* test build on all actions

* normalize dockerfile findings severity rating

* debugging dockerfile severity

* debugging

* Normalize Dockerfile severity 'info' to 'other'

* restore test actions

* minor comment update

* Remove develop workflow

* Address PR feedback

* test workflows against refactor

* handle edge case CVE-2025-22871

* fix missing severity edge case

* debugging epss

* debugging

* fix flawed test

* added test case for absent severity rating

* revert workflows to v1

---------

Co-authored-by: Michael Long <mlongii@amazon.com>

* Feature request 91 (#115)

* FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts

* Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts"

This reverts commit bc532d4.

* FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts

* FR-91: Fix unit tests

* FR-91: Fix typo in unit tests

* Revert "FR-91: Fix typo in unit tests"

This reverts commit e645542.

* Revert "FR-91: Fix unit tests"

This reverts commit f9157c9.

* Revert "FR-91: Add cli arg only fixable vulnerability; use the variable in get_vuln_counts"

This reverts commit 812c685.

* FR-91: Change orchestrator to only find fixed vulnerabilities if flag show-only-fixed-vulnerabilities is present

* FR-91: Fixed missing variable

* FR-91: Fixed typo

* FR-91: Fixed typo

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* FR-91: Another fix

* Add unit test for get_vuln_count

* Fix unit test for get_vuln_count

---------

Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com>

* Clarify license of inspector-sbomgen dependency (#121)

Co-authored-by: Michael Long <mlongii@amazon.com>

* [v1.3.0] Only trigger vuln threshold on fixable vulns (#122)

* Add --threshold-fixable-only to CLI

* implemented business logic

* changed 'threshold_fixable_only' from str to bool

* Added more test coverage and CLI refinements

* debugging failing unit test

* test threshold-fixable-only in workflow

* test threshold-fixable-only in workflow

* debugging CI/CD

* debugging CI/CD

* debugging

* debugging

* debugging

* debugging

* removed debug log showing CLI arguments

* add missing argument, fixed_vuln_counts

* simplify get_fixed_vuln_counts() return values

* refactor return types in get_scan_result()

* refactor

* refine get_fixed_vuln_counts()

* update test_get_fixed_vuln_counts()

* testing case sensitivity

* revert 'TRUE' to 'true'

* use debug log when vuln doesnt have rating

* integrate --show-only-fixable-vulns (part 1)

* integrate only show fixable vulns

* test example workflows

* fix CLI input arguments

* remove leading '-' character for conditional inclusion

* add a no-op CLI arg (workaround)

* enable new arguments in workflows

* fix failing test

* update workflows for prod

---------

Co-authored-by: Michael Long <mlongii@amazon.com>

* set workflows to v1.3.0 for burn-in

---------

Co-authored-by: clueleaf <10379303+clueleaf@users.noreply.github.com>
Co-authored-by: Michael Long <mlongii@amazon.com>
Co-authored-by: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com>
Co-authored-by: Maria Carolina Conceição <carolina.bento@floy.com>

Author: 5 people

.github/workflows/build_scan_container.yml

@@ -47,7 +47,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan built image with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.3
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         id: inspector
         with:
           artifact_type: 'container'

.github/workflows/example_display_findings.yml

@@ -29,7 +29,7 @@ jobs:
       # modify this block to scan your intended artifact
       - name: Inspector Scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.3
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           # change artifact_type to either 'repository', 'container', 'binary', or 'archive'.
           # this example scans a container image

.github/workflows/example_vulnerability_threshold_exceeded.yml

@@ -48,7 +48,7 @@ jobs:
 
       # Inspector scan
       - name: Scan container with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.3
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         id: inspector
         with:
           artifact_type: 'container' # configure Inspector for scanning a container

.github/workflows/test_archive.yml

@@ -32,7 +32,7 @@ jobs:
 
       - name: Test archive scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.3
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'archive'
           artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip'

.github/workflows/test_binary.yml

@@ -32,7 +32,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.3
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen'

.github/workflows/test_containers.yml

@@ -32,12 +32,13 @@ jobs:
 
       - name: Test container scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.3
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'container'
           artifact_path: 'ubuntu:14.04'
+          platform: "linux/arm64"
           display_vulnerability_findings: "enabled"
-          sbomgen_version: "1.3.1"
+          sbomgen_version: "latest"
 
       - name: Display scan results
         run: cat ${{ steps.inspector.outputs.inspector_scan_results }}

.github/workflows/test_dockerfile_vulns.yml

@@ -31,7 +31,7 @@ jobs:
 
       - name: Scan Dockerfiles
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.3
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'repository'
           artifact_path: './'

.github/workflows/test_installation.yml

@@ -28,7 +28,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Test Amazon Inspector GitHub Actions plugin
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.3
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'container'
           artifact_path: 'alpine:latest'

.github/workflows/test_no_vulns.yml

@@ -28,7 +28,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.3
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary'

.github/workflows/test_reports_no_vulns.yml

@@ -0,0 +1,52 @@
+name: Test CSV no vulns
+
+on:
+  push:
+    branches: #
+      - '*'
+
+jobs:
+  daily_job:
+    runs-on: ubuntu-latest
+    environment:
+      name: plugin-development
+
+    steps:
+
+      - name: Checkout this repository
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
+
+      - name: Test container scan
+        id: inspector
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.3.0
+        with:
+          artifact_type: 'container'
+          artifact_path: 'alpine:latest'
+          display_vulnerability_findings: "enabled"
+          sbomgen_version: "latest"
+
+      - name: Display scan results
+        run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }}
+        
+      - name: Display scan results (JSON)
+        run: cat ${{ steps.inspector.outputs.inspector_scan_results }}
+
+      - name: Display package vulns (CSV)
+        run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }}
+
+      - name: Display package vulns (MD)
+        run: cat ${{ steps.inspector.outputs.inspector_scan_results_markdown }}
+
+      - name: Display Dockerfile vulns (CSV)
+        run: cat ${{ steps.inspector.outputs.inspector_dockerfile_scan_results_csv }}
+
+      - name: Display Dockerfile vulns (MD)
+        run: cat ${{ steps.inspector.outputs.inspector_dockerfile_scan_results_markdown }}