Skip to content

Fix bug regarding cyclonedx format with contextFlags and --vuln flag #687

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
eranturgeman merged 2 commits into from
Mar 1, 2026
Merged

Fix bug regarding cyclonedx format with contextFlags and --vuln flag #687

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5df5236
fix bug regarding cyclonedx format with --vuln flag with contextFlags
eranturgeman Feb 26, 2026
33fee5f
.
eranturgeman Feb 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cli/docs/flags.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ var flagsMap = map[string]components.Flag{
Sbom: components.NewBoolFlag(Sbom, "Set if you'd like all the SBOM (Software Bill of Materials) components to be displayed and not only the affected. Ignored if provided 'format' is not 'table' or 'cyclonedx'."),
OutputFormat: components.NewStringFlag(
OutputFormat,
"Defines the output format of the command. Acceptable values are: table, json, simple-json, sarif and cyclonedx. Note: the json format doesn't include information about scans that are included as part of the Advanced Security package.",
"Defines the output format of the command. Acceptable values are: table, json, simple-json, sarif and cyclonedx. Note: the json format doesn't include information about scans that are included as part of the Advanced Security package. Note: cycloneDx format does support information about violations, only vulnerabilities are currently supported",
components.WithStrDefaultValue("table"),
),
Fail: components.NewBoolFlag(Fail, fmt.Sprintf("When using one of the flags --%s, --%s or --%s and a 'Fail build' rule is matched, the command will return exit code 3. Set to false if you'd like to see violations with exit code 0.", Watches, Project, RepoPath), components.WithBoolDefaultValue(true)),
Expand Down
6 changes: 6 additions & 0 deletions cli/utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,13 @@ func validateConnectionAndViolationContextInputs(c *components.Context, serverDe
if contextFlag > 1 {
return errorutils.CheckErrorf("only one of the following flags can be supplied: --watches, --project or --repo-path")
}

if contextFlag > 0 && format == outputFormat.CycloneDx {
if c.GetBoolFlagValue(flags.Vuln) {
// If Vuln flag id requested we indicate that ONLY vulnerabilities will be displayed in the output cdx, even if violations exist.
log.Warn("The CycloneDX format does not support security violations. Since the --vuln flag is present, the generated report will contain only vulnerabilities. Any existing violations induced from the provided context (--project, --watches, or --repoPath) will be excluded, resulting in a partial report if violations exist.")
Comment thread
eranturgeman marked this conversation as resolved.
return nil
}
// CDX format does not support displaying violations so we cannot allow context flags that are relevant only when violations are displayed.
return errorutils.CheckErrorf("Violations are not supported in CycloneDX format.")
}
Expand Down
Loading