fix: vulnerabilities should be printed when --fail-on fails (#1395)

Stop terminating the UI early if the error is that the "--fail-on" threshold failed. Signed-off-by: Will Murphy <will.murphy@anchore.com>
anchore · Jul 19, 2023 · e09bae3 · e09bae3
1 parent 03d18a5
commit e09bae3
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/cmd/grype/cli/legacy/event_loop.go b/cmd/grype/cli/legacy/event_loop.go
@@ -9,13 +9,14 @@ import (
 	"github.com/wagoodman/go-partybus"
 
 	"github.com/anchore/clio"
+	"github.com/anchore/grype/grype/grypeerr"
 	"github.com/anchore/grype/internal/log"
 )
 
 // eventLoop listens to worker errors (from execution path), worker events (from a partybus subscription), and
 // signal interrupts. Is responsible for handling each event relative to a given UI an to coordinate eventing until
 // an eventual graceful exit.
-func eventLoop(workerErrs <-chan error, signals <-chan os.Signal, subscription *partybus.Subscription, cleanupFn func(), uxs ...clio.UI) error {
+func eventLoop(workerErrs <-chan error, signals <-chan os.Signal, subscription *partybus.Subscription, cleanupFn func(), uxs ...clio.UI) error { //nolint:gocognit
 	defer cleanupFn()
 	events := subscription.Events()
 	var err error
@@ -39,12 +40,15 @@ func eventLoop(workerErrs <-chan error, signals <-chan os.Signal, subscription *
 				continue
 			}
 			if err != nil {
-				// capture the error from the worker and unsubscribe to complete a graceful shutdown
+				// if the error is not a severity threshold error, then it is unexpected and we should start to tear down the UI
+				if !errors.Is(err, grypeerr.ErrAboveSeverityThreshold) {
+					// capture the error from the worker and unsubscribe to complete a graceful shutdown
+					_ = subscription.Unsubscribe()
+					// the worker has exited, we may have been mid-handling events for the UI which should now be
+					// ignored, in which case forcing a teardown of the UI irregardless of the state is required.
+					forceTeardown = true
+				}
 				retErr = multierror.Append(retErr, err)
-				_ = subscription.Unsubscribe()
-				// the worker has exited, we may have been mid-handling events for the UI which should now be
-				// ignored, in which case forcing a teardown of the UI irregardless of the state is required.
-				forceTeardown = true
 			}
 		case e, isOpen := <-events:
 			if !isOpen {

diff --git a/test/cli/cmd_test.go b/test/cli/cmd_test.go
@@ -54,6 +54,14 @@ func TestCmd(t *testing.T) {
 				assertInOutput("scope: all-layers"),
 			},
 		},
+		{
+			name: "vulnerabilities in output on -f with failure",
+			args: []string{"registry:busybox:1.31", "-f", "high", "--platform", "linux/amd64"},
+			assertions: []traitAssertion{
+				assertInOutput("CVE-2021-42379"),
+				assertFailingReturnCode,
+			},
+		},
 	}
 
 	for _, test := range tests {