minder
minder copied to clipboard
stacklok
Include comparison between vulnerability evaluations in minder summary
Please describe the enhancement
Currently there is a WIP (https://github.com/stacklok/minder/issues/1862) addition to minder reviews to include a summary comment that will always be edited atop the PR.
This will include some summary results on vulnerabilities and fixes found. However, I think it is important to include a point of comparison between the current results and previous ones.
This also brings about two questions:
- Should this compare with the HEAD of the PR?
- Should this compare with the previous evaluation results?
The summary data of the previous scan will be stored as an HTML comment in the body of the current top review -- functioning as metadata that can be parsed.
Example report below
Minder Vulnerability Report ⚠️
Minder found vulnerable dependencies in this PR. Either push an updated version or accept the proposed changes. Note that accepting the changes will include Minder as a co-author of this PR.
Vulnerability scan of
27d6810b:
- 🐞 vulnerabilities:
1- 🛠 fixes:
1
| Package | Version | #Vulnerabilities | #Fixes | Patch Exists |
|---|---|---|---|---|
| mongodb | 0.5.0 | 1 | 1 | ✅ |
⚖️ Comparison with abcdefgh
Vulnerability comparison here
Solution Proposal
Some options if we decide that a comparison is a good idea:
Compare using diff
Current has fewer vulns than target
Vulnerability scan of
abcdefgh(vs27d6810b):
+ 🐞 Vulnerabilities: 4 (-3)
+ 🛠 Fixes: 2 (-1)
Current has more vulns than target
Vulnerability scan of
abcdefgh(vs27d6810b):
- 🐞 Vulnerabilities: 0 (+1)
- 🛠 Fixes: 0 (+1)
Keep using codeblock
Vulnerability scan of
abcdefgh(vs27d6810b):
- 🐞 Vulnerabilities:
4(-3)- 🛠 Fixes:
1(+0)
Describe alternatives you've considered
No response
Additional context
No response
Acceptance Criteria
No response
We still want to do the clever formatting trick with ```diff blocks...