Skip to content

feat: centralize finding display to fix unknown severity dropping in compact and verbose output#476

Closed
coder-Yash886 wants to merge 3 commits into
OWASP:mainfrom
coder-Yash886:feat/centralize-finding-display-385
Closed

feat: centralize finding display to fix unknown severity dropping in compact and verbose output#476
coder-Yash886 wants to merge 3 commits into
OWASP:mainfrom
coder-Yash886:feat/centralize-finding-display-385

Conversation

@coder-Yash886
Copy link
Copy Markdown
Contributor

@coder-Yash886 coder-Yash886 commented May 27, 2026

Closes #385

Problem

unknown severity findings were silently dropped from terminal output despite being counted in the summary.

  • Compact modeslice(0, 3) after critical/high filter dropped unknown findings entirely
  • Verbose modemedium+ threshold excluded unknown from the table
  • HTML / JSON / SARIF — showed all findings correctly ✅

Real example: MAL-2025-21003 on fs@0.0.1-security was invisible in terminal but visible in HTML report.

Changes

  • src/output/finding-display.ts — new shared selector module with selectFindingsForTable() and selectFindingsForCompact()
  • src/index.ts — uses shared selector for verbose table
  • src/output/printers.ts — uses shared selector for compact output
  • tests/output.test.ts — regression coverage for unknown findings in compact mode

Test Plan

npm test -- tests/output.test.ts tests/cli-integration.test.ts tests/write-outputs.test.ts

@coder-Yash886
Copy link
Copy Markdown
Contributor Author

coder-Yash886 commented May 27, 2026

@sonukapoor please review the PR when you have free time

@coder-Yash886 coder-Yash886 force-pushed the feat/centralize-finding-display-385 branch from 8ed383c to 4a006de Compare May 28, 2026 02:22
sonukapoor
sonukapoor requested changes May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@sonukapoor sonukapoor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix itself is correct - selectFindingsForCompact handles the unknown-severity case properly and mergeUniqueFindings is a clean way to avoid the slice-drops-unknown problem. The tests in output.test.ts cover the right scenario.

Two things to address:

This branch includes the debug flag work from #471. The first commit here is the debug flag implementation, and fix(scanner): use passed debug logger is also tied to it. #471 still has open CHANGES_REQUESTED. I can't merge this without pulling in all of that unresolved work. Please rebase this branch off the current main so it only contains the finding display changes.

Compact mode now only surfaces direct unknown-severity findings. The old code showed all unknown findings regardless of relationship. The new selectFindingsForCompact filters to finding.relationship === "direct". For the malicious-package case (MAL-* advisories) that's usually correct - you installed the package intentionally. But if an unknown-severity finding is transitive, it goes invisible in compact output. Worth a quick comment in the function confirming this is intentional, or loosening the filter if transitive unknowns should also surface.

@coder-Yash886
Copy link
Copy Markdown
Contributor Author

coder-Yash886 commented May 28, 2026

@sonukapoor Superseded by new PR from feat/centralize-finding-display-385-clean (this one accidentally included debug commits).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonukapoor sonukapoor sonukapoor requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: centralize finding display across compact, verbose, report, JSON, and SARIF outputs

2 participants

@coder-Yash886 @sonukapoor