Templates for grype output. HTML template

[myrkytyn]

Hi! Does someone have templates for grype? I need to scan my images to human-readable format HTML.

I think will be great if we can have a directory with templates for grype project.

[freedom-isnotanarchy]

(1) ((directory with templates)): Yes, great idea !
(2) Here is 1 grype template that I use:
"0-FILE:"#"PACKAGE:"#"VULNERABILITY:"#"SEVERITY:"#"Is Fixed:"#"Version Found:"#"Version Fixed:"#"Type:"#"Namespace:"#"Package URL:"#"Vulnerability Source:"#"Description:"#"URLS:" {{- range .Matches}} "__FILENAME__"#"{{.Artifact.Name}}"#"{{.Vulnerability.ID}}"#"{{.Vulnerability.Severity}}"#"{{.Vulnerability.Fix.State}}"#"'{{.Artifact.Version}}"#"{{.Vulnerability.Fix.Versions}}"#"{{.Artifact.Type}}"#"{{.Vulnerability.Namespace}}"#"{{.Artifact.PURL}}"#"{{.Vulnerability.DataSource}}"#"{{.Vulnerability.Description}}"#"{{.Vulnerability.URLs}}" {{- end}}

[samcro1967]

Is the correct usage to redirect the output to an html file for viewing in a browser in a human readable format? It generates the html files with the output, but it is not formatted in any way. Guessing I a not doing this correctly or am missing something.

grype -c grype.yaml -o template -t custom.template --scope all-layers --only-fixed sbom:./sboms/$CONTAINER.json > ./results/${TIMESTAMP}_$CONTAINER.html

[adriens]

Sorry for asking here, but it's also template related.

Is there any markdown ready to use template ?... I'd like to psot-process it with pandoc to build a ready to use automated documentation toolchain... human redable.

BTW : that would fix the html generation.

[ida-greuelr]

Inspired from the html output of https://sourceforge.net/projects/command-output-to-html-table/ I created a simple html table template. Works fine for me, is human readable and interactive:

<!DOCTYPE html>
<html>

<head>
  <meta name="viewport" content="width=device-width, initial-scale=1" charset="ISO-8859-1">
  <title>Grype</title>
  <script>
    function myFunction() {
      // Declare variables 
      var input, filter, table, tr, td, i;
      input = document.getElementById("myInput");
      filter = input.value.toUpperCase();
      table = document.getElementById("myTable");
      tr = table.getElementsByTagName("tr");

      // Loop through all table rows, and hide those who do not match the search query
      for (i = 1; i < tr.length; i++) {
        td = tr[i].getElementsByTagName("td");
        for (j = 0; j < td.length; j++) {
          var tdata = td[j];
          if (tdata) {
            if (tdata.innerHTML.toUpperCase().indexOf(filter) > -1) {
              tr[i].style.display = "";
              break;
            } else {
              tr[i].style.display = "none";
            }
          }
        }
      }
    }
  </script>

  <style type="text/css">
    table,
    th,
    td {
      border: 1px solid black; // changing-colors
      // word-wrap: break-word;
    }

    tr:first-child {
      font-weight: bold;
    }

    tr:nth-child(even) {
      background: #eef
    }

    // changing-colors
    tr:nth-child(odd) {
      background: #fee
    }

    // changing-colors

    * {
      box-sizing: border-box;
    }

    #myInput {
      background-image: url("search.png");
      background-position: left center;
      background-repeat: no-repeat;
      width: 94%;
      font-size: 16px;
      padding: 8px 20px 8px 40px;
      border: 2px solid Tomato; // changing-colors
      margin-bottom: 18px;
    }

    #myTable {
      border-collapse: collapse;
      border: 1px solid #ddd; // changing-colors
      width: 100%;
      margin-top: 18px;
      // Remove the // in front of the below two lines, to get fixed-width
      // table-layout: fixed;
      // word-wrap: break-word;
      // font-size: 18px;
    }

    #myTable th,
    #myTable td {
      text-align: left;
      padding: 12px;
    }

    #myTable tr {
      border-bottom: 1px solid #ddd; // changing-colors
    }

    #myTable tr:first-child:hover,
    #myTable tr:hover {
      background-color: rgb(4, 112, 155); // changing-colors
    }

    #myTable tr:first-child {
      background-color: rgb(4, 112, 155); // changing-colors
      font-weight: bold;
    }
  </style>
</head>

<body>
  <h2 style="text-align:center;background-color:DodgerBlue;color:White;">Identified Vulnerabilites</h2>
  <input type="text" id="myInput" onkeyup="myFunction()" placeholder="Search in all Fields...."
    title="Type in a Search String" autofocus="autofocus">
  <table id="myTable">
    <tr>
      <th>NAME</th>
      <th>INSTALLED</th>
      <th>TYPE</th>
      <th>VULNERABILITY</th>
      <th>SEVERITY</th>
      <th>DESCRIPTION</th>
      <th>STATE</th>
      <th>FIXED IN</th>
    </tr>
{{- range .Matches}}
    <tr>
      <td>"{{.Artifact.Name}}"</td>
      <td>"{{.Artifact.Version}}"</td>
      <td>"{{.Artifact.Type}}"</td>
      <td>"{{.Vulnerability.ID}}"</td>
      <td>"{{.Vulnerability.Severity}}"</td>
      <td>"{{.Vulnerability.Description}}"</td>
      <td>"{{.Vulnerability.Fix.State}}"</td>
      <td>"{{.Vulnerability.Fix.Versions}}"</td>
    </tr>
{{- end}}
  </table>
</body>

</html>

Copy/paste into a file like html.tmpl and run for example:

grype docker:ubuntu:focal -o template -t html.tmpl > grype.html

Praise the sourceforge project for its html layout 🥇 !

[spiffcs]

@ida-greuelr this is awesome!

[spiffcs]

Closing this issue with the template provided if anyone else objects or has related pr to file under issue just tag me and we can sort it

[spiffcs]

Closing this issue with the template provided if anyone else objects or has related pr to file under issue just tag me and we can sort it

[adriens]

Hi, can I access the name to the input scanned object (docker image, file, directory,...) through a variable from within the template ❔ That would be very usefiul.

Should I create a dedicated issue ?

[adriens]

Forget my previous question cf documentation :

Grype's template processing uses the same data models as the json output format — so if you're wondering what data is available as you author a template, you can use the output from grype -o json as a reference.

[adriens]

@ida-greuelr , to put the template in security and start some mode devs on templates, I created this https://dev.to/optnc/grype-0420-is-out-and-hello-grype-contribs-3g4i

We'll work on imprving templates and some other stuffs.

[rtarquini]

I'm having trouble understanding how the json names map back to the template. I was trying to extract the artifact path using .Artifact.Locations.Path, but that throws the error below

ERROR unable to show grype-vulnerability-scanning-finished event: unable to show vulnerability report: unable to execute supplied template: template: html.tmpl:131:22: executing "html.tmpl" at <.Artifact.Locations.Path>: can't evaluate field Path in type []source.Coordinates

[kzantow]

@rtarquini .Artifact.Locations is a slice (list/array), so you'll need to use a loop construct, I think it would be something like:

{{- range .Artifact.Locations}}
  {{.Path}}
{{- end}}

[mike-19]

@kzantow {{.Path}} will not work and will result in the same error; this is primarily due to improper definitions in the data model referenced here in #963

This should work

{{- range .Artifact.Locations}}
  {{(index .Artifact.Locations 0).Path}}
{{- end}}

[kzantow]

@mike-19 ah, I forgot about that RealPath detail. But note you would only want to use {{(index .Artifact.Locations 0).Path}} if you are just getting the first element, the {{- range... stuff is for iterating over each element. So if you just want the first element, you can use: {{(index .Artifact.Locations 0).RealPath}} if you want all locations, you can use {{- range $i, $e := .Artifact.Locations}}{{- if $i}}, {{- end}}{{$e.RealPath}}{{- end}} I tested both of these out and they do work.

[OnceUponALoop]

I created a new fancy html template with some filtering using datatables.js. It's available as a gist here

[spiffcs]

Wow thanks for the PR @OnceUponALoop! Let me give this a look and we'll include it under our template folder. This is excellent!