Add option --reach-min-severity to only run reachability analysis on vulnerabilities with at least that severity

Author: barslev

packages/cli/src/commands/scan/cmd-scan-create.mts

@@ -241,6 +241,7 @@ async function run(
     reachAnalysisMemoryLimit,
     reachAnalysisTimeout,
     reachDisableAnalytics,
+    reachMinSeverity,
     reachSkipCache,
     readOnly,
     reportLevel,
@@ -266,6 +267,7 @@ async function run(
     reachAnalysisTimeout: number
     reachAnalysisMemoryLimit: number
     reachDisableAnalytics: boolean
+    reachMinSeverity: string
     reachSkipCache: boolean
   }
 
@@ -282,6 +284,14 @@ async function run(
     reachEcosystems.push(ecosystem as PURL_Type)
   }
 
+  // Validate severity value if provided.
+  const validSeverities = ['info', 'low', 'moderate', 'high', 'critical']
+  if (reachMinSeverity && !validSeverities.includes(reachMinSeverity.toLowerCase())) {
+    throw new Error(
+      `Invalid severity: "${reachMinSeverity}". Valid values are: ${joinAnd(validSeverities)}`,
+    )
+  }
+
   const dryRun = !!cli.flags['dryRun']
 
   let {
@@ -517,6 +527,7 @@ async function run(
       reachAnalysisMemoryLimit: Number(reachAnalysisMemoryLimit),
       reachEcosystems,
       reachExcludePaths,
+      reachMinSeverity,
       reachSkipCache: Boolean(reachSkipCache),
     },
     readOnly: Boolean(readOnly),

packages/cli/src/commands/scan/cmd-scan-reach.mts

@@ -123,6 +123,7 @@ async function run(
     reachAnalysisMemoryLimit,
     reachAnalysisTimeout,
     reachDisableAnalytics,
+    reachMinSeverity,
     reachSkipCache,
   } = cli.flags as unknown as {
     cwd: string
@@ -134,6 +135,7 @@ async function run(
     reachAnalysisTimeout: number
     reachAnalysisMemoryLimit: number
     reachDisableAnalytics: boolean
+    reachMinSeverity: string
     reachSkipCache: boolean
   }
 
@@ -155,6 +157,14 @@ async function run(
     reachEcosystems.push(ecosystem as PURL_Type)
   }
 
+  // Validate severity value if provided.
+  const validSeverities = ['info', 'low', 'moderate', 'high', 'critical']
+  if (reachMinSeverity && !validSeverities.includes(reachMinSeverity.toLowerCase())) {
+    throw new Error(
+      `Invalid severity: "${reachMinSeverity}". Valid values are: ${joinAnd(validSeverities)}`,
+    )
+  }
+
   const processCwd = process.cwd()
   const cwd =
     cwdOverride && cwdOverride !== '.' && cwdOverride !== processCwd
@@ -223,6 +233,7 @@ async function run(
       reachDisableAnalytics: Boolean(reachDisableAnalytics),
       reachEcosystems,
       reachExcludePaths,
+      reachMinSeverity,
       reachSkipCache: Boolean(reachSkipCache),
     },
     targets,

packages/cli/src/commands/scan/perform-reachability-analysis.mts

@@ -23,6 +23,7 @@ export type ReachabilityOptions = {
   reachDisableAnalytics: boolean
   reachEcosystems: PURL_Type[]
   reachExcludePaths: string[]
+  reachMinSeverity: string
   reachSkipCache: boolean
 }
 
@@ -165,6 +166,9 @@ export async function performReachabilityAnalysis(
     ...(reachabilityOptions.reachExcludePaths.length
       ? ['--exclude-dirs', ...reachabilityOptions.reachExcludePaths]
       : []),
+    ...(reachabilityOptions.reachMinSeverity
+      ? ['--min-severity', reachabilityOptions.reachMinSeverity]
+      : []),
     ...(reachabilityOptions.reachSkipCache ? ['--skip-cache-usage'] : []),
   ]
 

packages/cli/src/commands/scan/reachability-flags.mts

@@ -31,6 +31,12 @@ export const reachabilityFlags: MeowFlags = {
     description:
       'List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.',
   },
+  reachMinSeverity: {
+    type: 'string',
+    default: '',
+    description:
+      'Set the minimum severity of vulnerabilities to analyze. Supported severities are info, low, moderate, high and critical.',
+  },
   reachSkipCache: {
     type: 'boolean',
     default: false,