Skip to content

Commit

Permalink
Add --ignore-states flag for ignoring findings with by fix state
Browse files Browse the repository at this point in the history
Signed-off-by: James Hebden <jhebden@gitlab.com>
  • Loading branch information
jhebden-gl committed Oct 11, 2023
1 parent 7e5df38 commit fca4778
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 1 deletion.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -373,7 +373,7 @@ NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
apk-tools 2.10.6-r0 2.10.7-r0 CVE-2021-36159 Critical
```
If you want Grype to only report vulnerabilities **that do not have a confirmed fix**, you can use the `--only-notfixed` flag. (This automatically adds [ignore rules](#specifying-matches-to-ignore) into Grype's configuration, such that vulnerabilities that are fixed will be ignored.)
If you want Grype to only report vulnerabilities **that do not have a confirmed fix**, you can use the `--only-notfixed` flag. Alternatively, you can use the `--ignore-states` flag to filter results for vulnerabilities with specific states such as `wont-fix` (see `--help` for a list of valid fix states). These flags automatically add [ignore rules](#specifying-matches-to-ignore) into Grype's configuration, such that vulnerabilities which are fixed, or will not be fixed, will be ignored.
## VEX Support
Expand Down
9 changes: 9 additions & 0 deletions cmd/grype/cli/commands/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,15 @@ func runGrype(app clio.Application, opts *options.Grype, userInput string) (errs
opts.Ignore = append(opts.Ignore, ignoreFixedMatches...)
}

for _, ignoreState := range opts.IgnoreStates {
switch grypeDb.FixState(ignoreState) {
case grypeDb.UnknownFixState, grypeDb.FixedState, grypeDb.NotFixedState, grypeDb.WontFixState:
opts.Ignore = append(opts.Ignore, match.IgnoreRule{FixState: ignoreState})
default:
log.Warnf("ignoring unknown fix state %s for --ignore-states", ignoreState)
}
}

if err = applyVexRules(opts); err != nil {
return fmt.Errorf("applying vex rules: %w", err)
}
Expand Down
6 changes: 6 additions & 0 deletions cmd/grype/cli/options/grype.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ type Grype struct {
CheckForAppUpdate bool `yaml:"check-for-app-update" json:"check-for-app-update" mapstructure:"check-for-app-update"` // whether to check for an application update on start up or not
OnlyFixed bool `yaml:"only-fixed" json:"only-fixed" mapstructure:"only-fixed"` // only fail if detected vulns have a fix
OnlyNotFixed bool `yaml:"only-notfixed" json:"only-notfixed" mapstructure:"only-notfixed"` // only fail if detected vulns don't have a fix
IgnoreStates []string `yaml:"ignore-states" json:"ignore-wontfix" mapstructure:"ignore-wontfix"` // ignore detections for vulnerabilities matching these fix states
Platform string `yaml:"platform" json:"platform" mapstructure:"platform"` // --platform, override the target platform for a container image
Search search `yaml:"search" json:"search" mapstructure:"search"`
Ignore []match.IgnoreRule `yaml:"ignore" json:"ignore" mapstructure:"ignore"`
Expand Down Expand Up @@ -103,6 +104,11 @@ func (o *Grype) AddFlags(flags clio.FlagSet) {
"ignore matches for vulnerabilities that are fixed",
)

flags.StringArrayVarP(&o.IgnoreStates,
"ignore-states", "",
fmt.Sprintf("ignore matches for vulnerabilities with specified fix states, options=%v", vulnerability.AllFixStates()),
)

flags.BoolVarP(&o.ByCVE,
"by-cve", "",
"orient results by CVE instead of the original vulnerability ID when possible",
Expand Down
9 changes: 9 additions & 0 deletions grype/vulnerability/fix.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,15 @@ import (
grypeDb "github.com/anchore/grype/grype/db/v5"
)

func AllFixStates() []grypeDb.FixState {
return []grypeDb.FixState{
grypeDb.FixedState,
grypeDb.NotFixedState,
grypeDb.UnknownFixState,
grypeDb.WontFixState,
}
}

type Fix struct {
Versions []string
State grypeDb.FixState
Expand Down

0 comments on commit fca4778

Please sign in to comment.