Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Ignore/add match results based on OpenVEX documents (#1397)
* go.mod: Pull OpenVEX go modules This commit pulls the OpenVEX libraries into the grype source. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add generic VEX processor package This commit adds a generic VEX processor package. It is implementation agnostic. It has a single option for now: The documents used to load the VEX data. The processor has a single method: ApplyVEX() which takes a set of scan results and applies VEX data to them. For now, the only modification that is done is filtering of results, that is moving results to the ignored list as a response to VEX documents. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Add OpenVEX processor implementation This commit adds an openvex implementation of the vex processor. It also wires the VEX processor to use it as default. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Table presenter: Highligt results suppressed by VEX This commit marks results suppressed by VEX when presenting them to the user. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Define VEX status constants This commit defines a set of local constants of each of the VEX statuses based on the openvex constants. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add VexStatus to ignore rules This commit modifies the ignore rules structure to support defining a vex status. Any rules defining vex are ignored by the standard ignore rules processing as they will be handled by the VEX processor. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add IgnoreRule HasConditions method Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Control VEX filtering through IgnoreRules This commit modifies how the vex processor is controlled. The processor now takes a list of IgnoreRules which can act on the VEX status in addition to the regular rule parameters. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Allow rules to match on VEX justification This commit expands the ingore rules to also work on vex the justification of not_affected statements. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Use go-vex merge implementation Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add OpenVEX matcher to matcher list This commit adds a new entry to the matchers: An openvex matcher This matcher is used when openvex augments results, moving matches from the ignore list to the active results. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add vex.AugmentMatches() to the vex processor This commit adds a new AugmentMatches() phase to the VEX processor. This new step goes throught the configured ignore rules and acts on any that have `affected` or `under_investigtion` as status. The purpose of this rule is to move matches back from the ignored matches list to the active results when a statement with either of those statuses apply to ignored matches. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Parse context identifiers using GGC This commit modifies the identifier synthesizer function to parse references using GGCR. It also adds a simple test. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Bump funlen linter to 73 This commit bumps the maximum function length to 73 to accomodate the new flag in AddFlags() Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> * Add VEX testing to matchers test This commit adds a new test and fixtures to test the VEX matchers along the rest of the matchers in TestMatchByImage(). As the VEX matchers operate on previously ignored matches a new loop was added to the test to accomodate the different testing model. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * add vex status and justification to ignored rule json model Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit rename + add TODO question about augmenting ignored matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit document comment updates + common variable extraction Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate legacy matcher function to vulnerability matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update tui to respond to ignored and dropped matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate vex processing to vulnerability match object Based on Alex's previous caommit Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Migrate VEX options and app config from legacy CLI Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * update table snapshot tests with suppressed vex entries Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for match.Matches.Diff() Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for vex processor Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix linting and restore global funlen rule Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove grpc pin Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * always return remaining and ignroed matches from matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Add VEX documentation to main README This commit adds a VEX section to the main Grype README. It adds an example document and details on how vex rules can be written. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> --------- Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
- Loading branch information