From 251974b4d343becc1221f3937747cb789138e8ca Mon Sep 17 00:00:00 2001
From: Joshua Weaver <jweaver@linus.health>
Date: Mon, 24 Jun 2024 14:58:57 -0400
Subject: [PATCH 1/3] errorMissedIgnores parameter

---
 action.yml | 5 +++++
 index.js   | 7 ++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/action.yml b/action.yml
index a3181e6..58b563c 100644
--- a/action.yml
+++ b/action.yml
@@ -13,6 +13,11 @@ inputs:
     default: medium
   ignore_list:
     description: List of CVE IDs to ignore in the vulnerability findings.
+  error_missed_ignores:
+    description: >
+      Set to true if you want to raise an error when CVEs in the ignore list are not found.
+    required: false
+    default: true
 outputs:
   critical:
     description: Number of critical vulnerabilities detected.
diff --git a/index.js b/index.js
index af76598..1bc2389 100644
--- a/index.js
+++ b/index.js
@@ -174,6 +174,7 @@ const main = async () => {
   const tag = core.getInput('tag', { required: true })
   const failThreshold = core.getInput('fail_threshold') || 'high'
   const ignoreList = parseIgnoreList(core.getInput('ignore_list'))
+  const errorMissedIgnores = core.getInput('error_missed_ignores') === 'false' ? false : true;
 
   const proxyUrl = process.env.HTTPS_PROXY || process.env.https_proxy
   if (proxyUrl !== undefined) {
@@ -240,7 +241,11 @@ const main = async () => {
     const missedIgnores = ignoreList.filter(vulnerabilityId => !ignoredFindings.map(({ packageVulnerabilityDetails }) => packageVulnerabilityDetails.vulnerabilityId).includes(vulnerabilityId));
     console.log('The following CVEs were not found in the result set:');
     missedIgnores.forEach(miss => console.log(`  ${miss}`));
-    throw new Error(`Ignore list contains CVE IDs that were not returned in the findings result set. They may be invalid or no longer be current vulnerabilities.`);
+    if (errorMissedIgnores) {
+      throw new Error(`Ignore list contains CVE IDs that were not returned in the findings result set. They may be invalid or no longer be current vulnerabilities.`);
+    } else {
+      core.warning(`Ignore list contains CVE IDs that were not returned in the findings result set. They may be invalid or no longer be current vulnerabilities.`);
+    }  
   }
 
   const ignoredCounts = countIgnoredFindings(ignoredFindings)

From 0aabe474c9830c49acdbb9107710514f5a57db57 Mon Sep 17 00:00:00 2001
From: Joshua Weaver <jweaver@linus.health>
Date: Wed, 24 Jul 2024 12:15:07 -0400
Subject: [PATCH 2/3] Updating to use log levels WARN and ERROR. Updating
 README.md to reflect changes

---
 README.md  |  1 +
 action.yml |  4 ++--
 index.js   | 12 ++++++++++--
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 1ee6e5d..1fd54b3 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,7 @@ As of version `3.0.0`, only enhanced scanning is supported. Basic scanning suppo
 | repository | :white_check_mark:  | ECR repository, eg myorg/myimage |
 | tag    | :white_check_mark: | Image tag to scan |
 | fail_threshold | | Fail if any vulnerabilities equal to or over this severity level are detected. Valid values: `critical`, `high`, `medium`, `low`, `informational`. Default value is `high`. |
+| missedCVELogLevel | | Set the log level for missed CVEs. Valid values: `error`, `warn`. Determines whether a core.error or a core.warning is raised when the ignore list contains CVE IDs that were not found in the scan results. Default value is error. |
 | ignore_list | | List of CVE IDs to ignore.<br/>:warning: **Note**: The `ignore_list` can either be a multi-line string (like the example below) or a list (separated using commas or spaces) containing CVE IDs to be ignored. |
 
 ## Outputs
diff --git a/action.yml b/action.yml
index 58b563c..06a1831 100644
--- a/action.yml
+++ b/action.yml
@@ -15,9 +15,9 @@ inputs:
     description: List of CVE IDs to ignore in the vulnerability findings.
   error_missed_ignores:
     description: >
-      Set to true if you want to raise an error when CVEs in the ignore list are not found.
+      Set to error if you want to raise an error when CVEs in the ignore list are not found. Set to warn to raise a warning, but prevent failure when CVEs in the ignore list are not found.
     required: false
-    default: true
+    default: error
 outputs:
   critical:
     description: Number of critical vulnerabilities detected.
diff --git a/index.js b/index.js
index 1bc2389..7111b22 100644
--- a/index.js
+++ b/index.js
@@ -174,7 +174,15 @@ const main = async () => {
   const tag = core.getInput('tag', { required: true })
   const failThreshold = core.getInput('fail_threshold') || 'high'
   const ignoreList = parseIgnoreList(core.getInput('ignore_list'))
-  const errorMissedIgnores = core.getInput('error_missed_ignores') === 'false' ? false : true;
+  const missedCVELogLevel = core.getInput('missedCVELogLevel') || 'error'
+
+  //Validate missedCVELogLevel
+  if (
+    missedCVELogLevel !== 'warn' &&
+    missedCVELogLevel !== 'error'
+  ) {
+    throw new Error('missedCVELogLevel input value is invalid. It must be either "warn" or "error".')
+  }
 
   const proxyUrl = process.env.HTTPS_PROXY || process.env.https_proxy
   if (proxyUrl !== undefined) {
@@ -241,7 +249,7 @@ const main = async () => {
     const missedIgnores = ignoreList.filter(vulnerabilityId => !ignoredFindings.map(({ packageVulnerabilityDetails }) => packageVulnerabilityDetails.vulnerabilityId).includes(vulnerabilityId));
     console.log('The following CVEs were not found in the result set:');
     missedIgnores.forEach(miss => console.log(`  ${miss}`));
-    if (errorMissedIgnores) {
+    if (missedCVELogLevel === 'error') {
       throw new Error(`Ignore list contains CVE IDs that were not returned in the findings result set. They may be invalid or no longer be current vulnerabilities.`);
     } else {
       core.warning(`Ignore list contains CVE IDs that were not returned in the findings result set. They may be invalid or no longer be current vulnerabilities.`);

From e33cbe3c77d280ec543277436043340596c47b00 Mon Sep 17 00:00:00 2001
From: Josh <jweaver@linus.health>
Date: Thu, 25 Jul 2024 12:03:56 -0400
Subject: [PATCH 3/3] Update action.yml

Co-authored-by: Patrik Affentranger <patrik.affentranger@gmail.com>
---
 action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/action.yml b/action.yml
index 06a1831..5e37ad6 100644
--- a/action.yml
+++ b/action.yml
@@ -15,7 +15,7 @@ inputs:
     description: List of CVE IDs to ignore in the vulnerability findings.
   error_missed_ignores:
     description: >
-      Set to error if you want to raise an error when CVEs in the ignore list are not found. Set to warn to raise a warning, but prevent failure when CVEs in the ignore list are not found.
+      Set to "error" if you want to raise an error when CVEs in the ignore list are not found. Set to "warn" to raise a warning only, and prevent the workflow from failing when CVEs in the ignore list are not found.
     required: false
     default: error
 outputs: