fix(cli): resolve issue with 'fail_on_fixable' and 'fail_on_severity'… (

#1169)

* fix(cli): resolve issue with 'fail_on_fixable' and 'fail_on_severity' flags

Signed-off-by: Darren Murray <[email protected]>

* test: add unit test for GROW-1388 scenario

Signed-off-by: Darren Murray <[email protected]>

---------

Signed-off-by: Darren Murray <[email protected]>

cli/cmd/errors.go

@@ -110,14 +110,14 @@ func (e *vulnerabilityPolicyError) validate() bool {
 		return false
 	}
 
-	if e.FailOnFixable && e.FixableVulnCount > 0 && threshold >= fixableSeverityRating {
+	if e.FailOnFixable && e.FixableVulnCount > 0 && fixableSeverityRating <= threshold {
 		e.Message = fmt.Sprintf(
 			"fixable vulnerabilities found with threshold '%s'",
 			e.FailOnSeverity)
 		return false
 	}
 
-	if !e.FailOnFixable && (severityRating <= threshold && severityRating != 0) {
+	if e.FailOnSeverity != "" && (severityRating <= threshold && severityRating != 0) {
 		e.Message = fmt.Sprintf(
 			"vulnerabilities found with threshold '%s'",
 			e.FailOnSeverity)

cli/cmd/errors_test.go

@@ -82,6 +82,14 @@ func TestVulnerabilityPolicyErrorShouldNotFailOnSeverityCriticalFailOnFixable(t
 	assert.True(t, mockPolicy.Compliant(), "policy should be compliant")
 }
 
+func TestVulnerabilityPolicyErrorShouldNotFailOnSeverityCriticalFailOnFixableWithCriticalSeverity(t *testing.T) {
+	mockAssessment := mockVulnAssessment{"critical", "critical", 1}
+	mockPolicy := NewVulnerabilityPolicyError(&mockAssessment, "critical", true)
+
+	assert.True(t, mockPolicy.NonCompliant(), "policy should be compliant")
+	assert.False(t, mockPolicy.Compliant(), "policy should be compliant")
+}
+
 func TestVulnerabilityPolicyErrorShouldNotFailOnSeverityCriticalFailWithNoVulns(t *testing.T) {
 	mockAssessment := mockVulnAssessment{"unknown", "unknown", 0}
 	mockPolicy := NewVulnerabilityPolicyError(&mockAssessment, "critical", false)