ROX-30571: Make roxctl image scan print logic reusable#18658
Merged
ROX-30571: Make roxctl image scan print logic reusable#18658
Conversation
|
Skipping CI for Draft Pull Request. |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- Consider returning a copy of
AllSeveritiesfrom a helper (e.g.DefaultSeverities() []string) instead of exposing a mutable package-level slice, to avoid accidental modification by callers. - The
cveSeverityFromStringfunction silently maps unknown severity strings toLowCVESeverity; consider returning an error or a boolean flag instead so unexpected inputs don’t get coerced without visibility.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Consider returning a copy of `AllSeverities` from a helper (e.g. `DefaultSeverities() []string`) instead of exposing a mutable package-level slice, to avoid accidental modification by callers.
- The `cveSeverityFromString` function silently maps unknown severity strings to `LowCVESeverity`; consider returning an error or a boolean flag instead so unexpected inputs don’t get coerced without visibility.
## Individual Comments
### Comment 1
<location> `roxctl/common/scan/cve.go:25-34` </location>
<code_context>
)
-func (c cveSeverity) String() string {
+var (
+ AllSeverities = []string{
+ LowCVESeverity.String(),
+ ModerateCVESeverity.String(),
</code_context>
<issue_to_address>
**suggestion (bug_risk):** AllSeverities being a mutable exported slice can be modified by callers and desynchronize validation logic.
External packages can currently append, remove, or reorder entries, which may cause Validate and other logic relying on the original set/order to behave incorrectly at runtime. Consider returning a copy via an accessor (e.g. `AllSeverities() []string`) or making the slice unexported and exposing a controlled API so supported severities remain immutable.
```suggestion
var (
allSeverities = []string{
LowCVESeverity.String(),
ModerateCVESeverity.String(),
ImportantCVESeverity.String(),
CriticalCVESeverity.String(),
}
)
// AllSeverities returns a copy of the supported CVE severity labels.
// Callers can safely use and modify the returned slice without affecting
// the internal canonical list.
func AllSeverities() []string {
out := make([]string, len(allSeverities))
copy(out, allSeverities)
return out
}
type CVESeverity int
```
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
dcaravel
force-pushed
the
dc/move-roxctl-scan-print
branch
from
172deec to
6b316e3
Compare
Contributor
|
Images are ready for the commit at 9ebda95. To use with deploy scripts, first |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #18658 +/- ##
==========================================
- Coverage 49.50% 49.49% -0.02%
==========================================
Files 2667 2668 +1
Lines 201389 201385 -4
==========================================
- Hits 99693 99668 -25
- Misses 94254 94274 +20
- Partials 7442 7443 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
5 tasks
dcaravel
force-pushed
the
dc/sbom-ingest-central-api
branch
from
01e65a6 to
09f9e5f
Compare
dcaravel
force-pushed
the
dc/move-roxctl-scan-print
branch
from
6b316e3 to
ec5db7e
Compare
No functional changes, just a relocation and few minor tweaks.
dcaravel
force-pushed
the
dc/move-roxctl-scan-print
branch
from
ec5db7e to
9ebda95
Compare
janisz
approved these changes
Apr 1, 2026
c-du
pushed a commit
that referenced
this pull request
Apr 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR includes no functional changes - it moves the printing logic associated with
roxctl image scanto a common location so that it can be reused by theroxctl sbom scancommand that is introduced in (#18503).PR created per request of Sensor & Ecosystem to split #18503 into multiple PRs
The new files in
roxctl/common/scan/*are not new, they were moved fromroxctl/image/scanso that they could be re-used. Minor tweaks were made to enable reuse. The files were moved as follows:PR Stack:
User-facing documentation
Testing and quality
Automated testing
No functional changes, existing tests apply
How I validated my change
See #18503