chore: refactor results returning process (#36)

Author: owenrumney

go.mod

@@ -4,7 +4,7 @@ go 1.24.2
 
 require (
 	github.com/golang-jwt/jwt/v5 v5.2.2
-	github.com/mark3labs/mcp-go v0.23.1
+	github.com/mark3labs/mcp-go v0.29.0
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/zalando/go-keyring v0.2.6

go.sum

@@ -1509,6 +1509,8 @@ github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4
 github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/mark3labs/mcp-go v0.23.1 h1:RzTzZ5kJ+HxwnutKA4rll8N/pKV6Wh5dhCmiJUu5S9I=
 github.com/mark3labs/mcp-go v0.23.1/go.mod h1:rXqOudj/djTORU/ThxYx8fqEVj/5pvTuuebQ2RC7uk4=
+github.com/mark3labs/mcp-go v0.29.0 h1:sH1NBcumKskhxqYzhXfGc201D7P76TVXiT0fGVhabeI=
+github.com/mark3labs/mcp-go v0.29.0/go.mod h1:rXqOudj/djTORU/ThxYx8fqEVj/5pvTuuebQ2RC7uk4=
 github.com/masahiro331/go-disk v0.0.0-20240625071113-56c933208fee h1:cgm8mE25x5XXX2oyvJDlyJ72K+rDu/4ZCYce2worNb8=
 github.com/masahiro331/go-disk v0.0.0-20240625071113-56c933208fee/go.mod h1:rojbW5tVhH1cuVYFKZS+QX+VGXK45JVsRO+jW92kkKM=
 github.com/masahiro331/go-ebs-file v0.0.0-20240917043618-e6d2bea5c32e h1:nCgF1JEYIS8KNuJtIeUrmjjhktIMKWNmASZqwK2ynu0=

pkg/tools/scan/aqua.go

@@ -3,7 +3,6 @@ package scan
 import (
 	"context"
 	"errors"
-	"fmt"
 	"os"
 
 	"path/filepath"
@@ -14,7 +13,7 @@ import (
 	"github.com/mark3labs/mcp-go/mcp"
 )
 
-func (t *ScanTools) scanWithAquaPlatform(ctx context.Context, args []string, creds creds.AquaCreds) (*mcp.CallToolResult, error) {
+func (t *ScanTools) scanWithAquaPlatform(ctx context.Context, args []string, creds creds.AquaCreds, scanArgs *scanArgs) (*mcp.CallToolResult, error) {
 
 	// add quiet to reduce the noise
 	args = append(args, "--quiet")
@@ -87,15 +86,5 @@ func (t *ScanTools) scanWithAquaPlatform(ctx context.Context, args []string, cre
 		return nil, err
 	}
 
-	return mcp.NewToolResultResource(
-		fmt.Sprintf(`The results can be found in the file "%s", which is found at "%s" \n
-		 Summarise the contents of the file and report it back to the user in a nicely formatted way.\n
-	It is important that the output MUST include the ID and the severity of the issues to inform the user of the issues.
-	`, filename, resultsFilePath),
-		mcp.TextResourceContents{
-			URI:      resultsFilePath,
-			MIMEType: "application/json",
-		},
-	), nil
-
+	return t.processResultsFile(resultsFilePath, scanArgs, filename)
 }

pkg/tools/scan/report.go

@@ -0,0 +1,166 @@
+package scan
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/mark3labs/mcp-go/mcp"
+)
+
+func (t *ScanTools) processResultsFile(resultsFilePath string, scanArgs *scanArgs, filename string) (*mcp.CallToolResult, error) {
+	logger := log.WithPrefix("scan")
+	if scanArgs.isSBOM {
+		// tell the LLM to present the results verbatim in code block
+		result, err := t.processSBOMResult(resultsFilePath, logger, filename)
+		if err != nil {
+			logger.Error("Failed to format results", log.Err(err))
+			return nil, fmt.Errorf("failed to format results: %w", err)
+		}
+		return result, nil
+	}
+
+	file, err := os.Open(resultsFilePath)
+	if err != nil {
+		logger.Error("Failed to open scan results file", log.Err(err))
+		return nil, errors.New("failed to open scan results file")
+	}
+	defer func() {
+		if err := file.Close(); err != nil {
+			logger.Error("Failed to close scan results file", log.Err(err))
+		}
+		if err := os.Remove(resultsFilePath); err != nil {
+			logger.Error("Failed to remove scan results file", log.Err(err))
+		}
+	}()
+
+	var rep types.Report
+	if err := json.NewDecoder(file).Decode(&rep); err != nil {
+		logger.Error("Failed to decode scan results file", log.Err(err))
+		return nil, errors.New("failed to decode scan results file")
+	}
+
+	// check the size of the file, if its larger than 1MB, we don't want to embed it in the response
+	// instead we want to provide a link to the file
+	fileInfo, err := file.Stat()
+	if err != nil {
+		logger.Error("Failed to get scan results file info", log.Err(err))
+		return nil, errors.New("failed to get scan results file info")
+	}
+
+	var resultString strings.Builder
+
+	if fileInfo.Size() > 1024*1024 {
+		resultString, err = processResultSummary(rep, logger)
+		if err != nil {
+			logger.Error("Failed to format results", log.Err(err))
+			return nil, fmt.Errorf("failed to format results: %w", err)
+		}
+	} else {
+		resultString, err = processResult(rep, logger)
+		if err != nil {
+			logger.Error("Failed to format results", log.Err(err))
+			return nil, fmt.Errorf("failed to format results: %w", err)
+		}
+	}
+	return mcp.NewToolResultText(resultString.String()), nil
+}
+
+func processResultSummary(rep types.Report, logger *log.Logger) (strings.Builder, error) {
+	// process the results into a text format
+	sb := strings.Builder{}
+
+	logger.Debug("Scan results file is larger than 1MB, building a summary of the results")
+	countsMap := make(map[string]int)
+
+	for _, result := range rep.Results {
+		countsMap["Vulnerabilities"] += len(result.Vulnerabilities)
+		countsMap["Misconfigurations"] += len(result.Misconfigurations)
+		countsMap["Licenses"] += len(result.Licenses)
+		countsMap["Secrets"] += len(result.Secrets)
+	}
+
+	sb.WriteString("## Scan Results Summary\n")
+	sb.WriteString(fmt.Sprintf(" - Vulnerabilities: %d\n", countsMap["Vulnerabilities"]))
+	sb.WriteString(fmt.Sprintf(" - Misconfigurations: %d\n", countsMap["Misconfigurations"]))
+	sb.WriteString(fmt.Sprintf(" - Licenses: %d\n", countsMap["Licenses"]))
+	sb.WriteString(fmt.Sprintf(" - Secrets: %d\n", countsMap["Secrets"]))
+	sb.WriteString("\n\n")
+
+	return sb, nil
+
+}
+
+func processResult(rep types.Report, logger *log.Logger) (strings.Builder, error) {
+
+	// process the results into a text format
+	sb := strings.Builder{}
+	sb.WriteString("The scan results are below, it is important that you present the results with the severity and the ID/Name of the vulnerability/misconfiguration/license/secret. \n")
+
+	for _, result := range rep.Results {
+		if len(result.Vulnerabilities) > 0 || len(result.Misconfigurations) > 0 || len(result.Licenses) > 0 || len(result.Secrets) > 0 {
+			sb.WriteString(fmt.Sprintf("## %s\n", result.Target))
+			for _, vuln := range result.Vulnerabilities {
+				sb.WriteString(fmt.Sprintf("### %s\n", vuln.VulnerabilityID))
+				sb.WriteString(fmt.Sprintf(" - Severity: %s\n", vuln.Severity))
+				sb.WriteString(fmt.Sprintf(" - Package: %s\n", vuln.PkgName))
+				sb.WriteString(fmt.Sprintf(" - Installed Version: %s\n", vuln.InstalledVersion))
+				sb.WriteString(fmt.Sprintf(" - Fixed Version: %s\n", vuln.FixedVersion))
+				sb.WriteString(fmt.Sprintf(" - Primary URL: %s\n", vuln.PrimaryURL))
+				sb.WriteString(fmt.Sprintf(" - Data Source: %s\n", vuln.DataSource))
+			}
+			for _, misconf := range result.Misconfigurations {
+				sb.WriteString(fmt.Sprintf("### %s\n", misconf.ID))
+				sb.WriteString(fmt.Sprintf(" - Severity: %s\n", misconf.Severity))
+				sb.WriteString(fmt.Sprintf(" - Title: %s\n", misconf.Title))
+				sb.WriteString(fmt.Sprintf(" - Description: %s\n", misconf.Description))
+				sb.WriteString(fmt.Sprintf(" - Resolution: %s\n", misconf.Resolution))
+				sb.WriteString(fmt.Sprintf(" - Primary URL: %s\n", misconf.PrimaryURL))
+				sb.WriteString(fmt.Sprintf(" - Message: %s\n", misconf.Message))
+
+			}
+			for _, license := range result.Licenses {
+				sb.WriteString(fmt.Sprintf("### %s\n", license.Name))
+				sb.WriteString(fmt.Sprintf(" - Severity: %s\n", license.Severity))
+				sb.WriteString(fmt.Sprintf(" - Package: %s\n", license.PkgName))
+				sb.WriteString(fmt.Sprintf(" - License: %s\n", license.Text))
+				sb.WriteString(fmt.Sprintf(" - Category: %s\n", license.Category))
+			}
+			for _, secret := range result.Secrets {
+				sb.WriteString(fmt.Sprintf("### %s\n", secret.RuleID))
+				sb.WriteString(fmt.Sprintf(" - Severity: %s\n", secret.Severity))
+				sb.WriteString(fmt.Sprintf(" - Title: %s\n", secret.Title))
+				sb.WriteString(fmt.Sprintf(" - Code: %v\n", secret.Code))
+				sb.WriteString(fmt.Sprintf(" - Match: %s\n", secret.Match))
+				sb.WriteString(fmt.Sprintf(" - Category: %s\n", secret.Category))
+			}
+		}
+
+	}
+	return sb, nil
+}
+
+// processSBOMResult processes the SBOM result and returns a tool result
+// we don't clean up the results file here because we want to keep it to be available for the LLM to provide a link
+// when the MCP server is closed, the trivy mcp cache should be cleaned up
+func (*ScanTools) processSBOMResult(resultsFilePath string, logger *log.Logger, filename string) (*mcp.CallToolResult, error) {
+	log.Debug("Scan results file", log.String("file", resultsFilePath))
+
+	// Check that the file exists
+	if _, err := os.Stat(resultsFilePath); err != nil {
+		logger.Error("Failed to access scan results file", log.Err(err))
+		return nil, errors.New("failed to access scan results file")
+	}
+
+	// Create a markdown link for the SBOM file instead of using resource object
+	// This provides better compatibility with VSCode's MCP client
+	markdownLink := fmt.Sprintf("Only show the user the following markdown and NOTHING else \n [SBOM Results](file://%s)", resultsFilePath)
+
+	// For large files, we return a link that client can click instead of embedding the content
+	// This avoids issues with resource handling in VSCode's MCP client
+	return mcp.NewToolResultText(markdownLink), nil
+}

pkg/tools/scan/scan.go

@@ -16,7 +16,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/mark3labs/mcp-go/mcp"
 
-	_ "modernc.org/sqlite" // sqlite driver for RPM DB and Java DB
+	_ "modernc.org/sqlite" // sqlite driver for RPM DB and Java DB, this is needed for the scan
 )
 
 type ScanTools struct {
@@ -38,44 +38,47 @@ func NewScanTools(opts flag.Options, trivyTempDir string) *ScanTools {
 var (
 	ScanFilesystemTool = mcp.NewTool(
 		"scan_filesystem",
-		mcp.WithDescription(`Scan a local filesystem project for vulnerabilities, misconfigurations, licenses, and secrets issue using Trivy. \n
-		When the result is an embedded resource (like an SBOM), you MUST format the response as a clickable markdown link with the text set to "SBOM Results" and with the URI as the target of the link. \n
-		Do not include any other text or explanation with the link.".`),
+		mcp.WithDescription(`Scan a local filesystem project for vulnerabilities, misconfigurations, licenses, and secrets issue using Trivy. 
+Follow the instructions that are given in the response.`),
 		targetString,
 		scanTypeArray,
 		severityArray,
 		outputFormatString,
 		fixedOnlyBool,
 		targetTypeString("filesystem"),
 		mcp.WithToolAnnotation(mcp.ToolAnnotation{
-			Title: "Scan filesystem and local projects with Trivy",
+			Title: "Scan local filesystem with Trivy",
 		}),
 	)
 
 	ScanImageTool = mcp.NewTool(
 		"scan_image",
-		mcp.WithDescription(`Scan a container image for vulnerabilities, misconfigurations, licenses, and secrets issue using Trivy \n
-		When the result is an embedded resource (like an SBOM), you MUST format the response as a clickable markdown link with the text set to the filename and the URI as the target of the link. \n
-		Do not include any other text or explanation with the link.".`),
+		mcp.WithDescription(`Scan a container image for vulnerabilities, misconfigurations, licenses, and secrets issue using Trivy
+Follow the instructions that are given in the response.`),
 		targetString,
 		scanTypeArray,
 		severityArray,
 		outputFormatString,
 		fixedOnlyBool,
 		targetTypeString("image"),
+		mcp.WithToolAnnotation(mcp.ToolAnnotation{
+			Title: "Scan a container image with Trivy",
+		}),
 	)
 
 	ScanRepositoryTool = mcp.NewTool(
 		"scan_repository",
-		mcp.WithDescription(`Scan a remote git repository for vulnerabilities, misconfigurations, licenses, and secrets issue using Trivy \n
-		When the result is an embedded resource (like an SBOM), you MUST format the response as a clickable markdown link with the text set to "SBOM Results" and with the URI as the target of the link. \n
-		Do not include any other text or explanation with the link.".`),
+		mcp.WithDescription(`Scan a remote git repository for vulnerabilities, misconfigurations, licenses, and secrets issue using Trivy.
+Follow the instructions that are given in the response.`),
 		targetString,
 		scanTypeArray,
 		severityArray,
 		outputFormatString,
 		fixedOnlyBool,
 		targetTypeString("repository"),
+		mcp.WithToolAnnotation(mcp.ToolAnnotation{
+			Title: "Scan a remote git repository with Trivy",
+		}),
 	)
 )
 
@@ -101,7 +104,7 @@ func (t *ScanTools) ScanWithTrivyHandler(ctx context.Context, request mcp.CallTo
 		args = append(args, "--skip-update")
 	}
 
-	// json output doesn't include the target in the output
+	// json output doesn't include the packages in the output
 	if scanArgs.outputFormat == "json" && slices.Contains(scanArgs.scanType, "vuln") {
 		args = append(args, "--list-all-pkgs")
 	}
@@ -113,7 +116,7 @@ func (t *ScanTools) ScanWithTrivyHandler(ctx context.Context, request mcp.CallTo
 			return nil, fmt.Errorf("failed to load credentials which suggests the haven't been saved using `trivy mcp auth`: %v", err)
 		}
 		args = append(args, scanArgs.target)
-		return t.scanWithAquaPlatform(ctx, args, *aquaCreds)
+		return t.scanWithAquaPlatform(ctx, args, *aquaCreds, scanArgs)
 	}
 
 	logger := log.WithPrefix(scanArgs.targetType)
@@ -150,47 +153,8 @@ func (t *ScanTools) ScanWithTrivyHandler(ctx context.Context, request mcp.CallTo
 
 	logger.Info("Scan completed successfully")
 
-	if scanArgs.isSBOM {
-		// tell the LLM to present the results verbatim in code block
-		result, err := t.processSBOMResult(resultsFilePath, logger, filename)
-		if err != nil {
-			logger.Error("Failed to format results", log.Err(err))
-			return nil, fmt.Errorf("failed to format results: %w", err)
-		}
-		return result, nil
-	}
-
-	return mcp.NewToolResultResource(
-		fmt.Sprintf(`The results can be found in the file "%s", which is found at "%s" \n
-		 Summarise the contents of the file and report it back to the user in a nicely formatted way.\n
-	It is important that the output MUST include the ID and the severity of the issues to inform the user of the issues.
-	`, filename, resultsFilePath),
-		mcp.TextResourceContents{
-			URI:      resultsFilePath,
-			MIMEType: "application/json",
-		},
-	), nil
-}
-
-// processSBOMResult processes the SBOM result and returns a tool result
-// we don't clean up the results file here because we want to keep it to be available for the LLM to provide a link
-// when the MCP server is closed, the trivy mcp cache should be cleaned up
-func (*ScanTools) processSBOMResult(resultsFilePath string, logger *log.Logger, filename string) (*mcp.CallToolResult, error) {
-	log.Debug("Scan results file", log.String("file", resultsFilePath))
-
-	content, err := os.ReadFile(resultsFilePath)
-	if err != nil {
-		logger.Error("Failed to read scan results file", log.Err(err))
-		return nil, errors.New("failed to read scan results file")
-	}
+	return t.processResultsFile(resultsFilePath, scanArgs, filename)
 
-	return mcp.NewToolResultResource(
-		fmt.Sprintf("The embedded resource is a human readable SBOM format. \nThe filename is %s and the URI is file://%s. \n", filename, resultsFilePath),
-		mcp.TextResourceContents{
-			URI:  resultsFilePath,
-			Text: string(content),
-		},
-	), nil
 }
 
 func getFilename(targetType, format string) string {