-
Notifications
You must be signed in to change notification settings - Fork 594
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Display warnings even when -v
is not passed and no tty is present
#2180
Comments
Thanks for the report! These logs are being generated in Syft, here: https://github.com/anchore/syft/blob/8095f7b8c14d2b2abf08c9516c7617c08e9fc319/internal/task/executor.go#L103 I can see how these seem noisy. I'll see if there's some better experience we can implement. |
Hi @metametadata! I went looking for our suggestion to add CPEs if we try to match on a CPE and non are available, and it is at grype/grype/search/criteria.go Line 31 in c87f4a0
log.Warn , and warning show up without --verbose .
In general, if a message is something a user could do to make the scan better, we try to |
Without I've written about it in the similar Syft issue: anchore/syft#3081 (comment). Maybe the similar issue should be added in the Grype repo? |
Hi @metametadata thanks for the response and for connecting this with the Syft issue! I think warnings being lost when not TTY is available is not a great experience and we should treat it as a bug. Also, thanks for mentioning it happens when Grype is invoked via a Kotlin script - this clue really helped. For investigating, I made a simple python script that wraps Grype and repros the issue: import subprocess
import sys
args = ["grype"]
args.extend(sys.argv[1:])
process = subprocess.Popen(
args,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True,
bufsize=1,
)
try:
for stdout_line in iter(process.stdout.readline, ""):
sys.stdout.write(f"out: {stdout_line}")
sys.stdout.flush()
for stderr_line in iter(process.stderr.readline, ""):
sys.stderr.write(f"err: {stderr_line}")
sys.stderr.flush()
finally:
process.stdout.close()
process.stderr.close()
process.wait() I'm guessing this is similar to the situation for Grype in your Kotlin script: stderr and stdout are captured within the parent process and printed indirectly, so grype can write bytes to either stderr or stdout, but no tty is present. Reproing the error: Grype will ❯ grype dir:.
... snip ...
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
No vulnerabilities found
❯ python pygrype.py dir:.
out: No vulnerabilities found
❯ python pygrype.py dir:. --verbose
python pygrype.py dir:. --verbose
out: No vulnerabilities found
err: [0000] INFO grype version: 0.82.0
err: [0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
err: [0000] INFO task completed elapsed=54.167µs task=environment-cataloger
... snip ...
... dozens of lines of log spam hiding the warning ... So in the second version, we can see that the warning is dropped. I can get it back with I think a reasonable requirement we should take here is: Grype (and Syft) should display I think what's happening is this:
These three statements make sense separately, but combine to make it so that I'll try to add some code links in a minute. |
The UI setup command is here: Line 39 in 5c2b262
I suspect the bug may be over in https://github.com/anchore/clio, which is a Terminal UI library shared by Syft and Grype. |
Agree. I then will be able to delete |
INFO task completed elapsed=...
verbose logs-v
is not passed and no tty is present
v0.82.0
There are many seemingly useless logs on
--verbose
which make the reports harder to read and can hide more important messages produced on--verbose
(such as suggesting settingadd-cpes-if-none
).Maybe they could be hidden behind some other CLI flag instead of
--verbose
?The text was updated successfully, but these errors were encountered: