diff --git a/README.md b/README.md index 22d0f65fdda2..c3f6c99015d1 100644 --- a/README.md +++ b/README.md @@ -373,7 +373,7 @@ NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY apk-tools 2.10.6-r0 2.10.7-r0 CVE-2021-36159 Critical ``` -If you want Grype to only report vulnerabilities **that do not have a confirmed fix**, you can use the `--only-notfixed` flag. (This automatically adds [ignore rules](#specifying-matches-to-ignore) into Grype's configuration, such that vulnerabilities that are fixed will be ignored.) +If you want Grype to only report vulnerabilities **that do not have a confirmed fix**, you can use the `--only-notfixed` flag. Alternatively, you can use the `--ignore-states` flag to filter results for vulnerabilities with specific states such as `wont-fix` (see `--help` for a list of valid fix states). These flags automatically add [ignore rules](#specifying-matches-to-ignore) into Grype's configuration, such that vulnerabilities which are fixed, or will not be fixed, will be ignored. ## VEX Support diff --git a/cmd/grype/cli/commands/root.go b/cmd/grype/cli/commands/root.go index 10514d6b797f..6a5f5ffdab03 100644 --- a/cmd/grype/cli/commands/root.go +++ b/cmd/grype/cli/commands/root.go @@ -155,6 +155,15 @@ func runGrype(app clio.Application, opts *options.Grype, userInput string) (errs opts.Ignore = append(opts.Ignore, ignoreFixedMatches...) } + for _, ignoreState := range opts.IgnoreStates { + switch grypeDb.FixState(ignoreState) { + case grypeDb.UnknownFixState, grypeDb.FixedState, grypeDb.NotFixedState, grypeDb.WontFixState: + opts.Ignore = append(opts.Ignore, match.IgnoreRule{FixState: ignoreState}) + default: + log.Warnf("ignoring unknown fix state %s for --ignore-states", ignoreState) + } + } + if err = applyVexRules(opts); err != nil { return fmt.Errorf("applying vex rules: %w", err) } diff --git a/cmd/grype/cli/options/grype.go b/cmd/grype/cli/options/grype.go index d58d6be55ece..d75c0935c79f 100644 --- a/cmd/grype/cli/options/grype.go +++ b/cmd/grype/cli/options/grype.go @@ -19,6 +19,7 @@ type Grype struct { CheckForAppUpdate bool `yaml:"check-for-app-update" json:"check-for-app-update" mapstructure:"check-for-app-update"` // whether to check for an application update on start up or not OnlyFixed bool `yaml:"only-fixed" json:"only-fixed" mapstructure:"only-fixed"` // only fail if detected vulns have a fix OnlyNotFixed bool `yaml:"only-notfixed" json:"only-notfixed" mapstructure:"only-notfixed"` // only fail if detected vulns don't have a fix + IgnoreStates []string `yaml:"ignore-states" json:"ignore-wontfix" mapstructure:"ignore-wontfix"` // ignore detections for vulnerabilities matching these fix states Platform string `yaml:"platform" json:"platform" mapstructure:"platform"` // --platform, override the target platform for a container image Search search `yaml:"search" json:"search" mapstructure:"search"` Ignore []match.IgnoreRule `yaml:"ignore" json:"ignore" mapstructure:"ignore"` @@ -103,6 +104,11 @@ func (o *Grype) AddFlags(flags clio.FlagSet) { "ignore matches for vulnerabilities that are fixed", ) + flags.StringArrayVarP(&o.IgnoreStates, + "ignore-states", "", + fmt.Sprintf("ignore matches for vulnerabilities with specified fix states, options=%v", vulnerability.AllFixStates()), + ) + flags.BoolVarP(&o.ByCVE, "by-cve", "", "orient results by CVE instead of the original vulnerability ID when possible", diff --git a/grype/vulnerability/fix.go b/grype/vulnerability/fix.go index a8d88a52cf45..3cb81469aae6 100644 --- a/grype/vulnerability/fix.go +++ b/grype/vulnerability/fix.go @@ -4,6 +4,15 @@ import ( grypeDb "github.com/anchore/grype/grype/db/v5" ) +func AllFixStates() []grypeDb.FixState { + return []grypeDb.FixState{ + grypeDb.FixedState, + grypeDb.NotFixedState, + grypeDb.UnknownFixState, + grypeDb.WontFixState, + } +} + type Fix struct { Versions []string State grypeDb.FixState