Comments (6)
We discussed this (a couple times now) and there are still some outstanding questions about exactly what the behavior should be, but to tie some of the discussion together, I've implemented a PR here with one approach that would accomplish, I think, what @henrysachs is asking for (we discussed this on the live stream, and it sounded as though this approach would work): anchore/fangs#51
from grype.
Hey @popey,
I can't watch the livestream currently (but nice one exists!). I know about vex and really like it, but unfortunately in my current context I don't know about the exact location of the vex documents because there is no standard about the path to a vex document. But as there is one for Grype I want my users to be able to set a grype config but have a global one too. That's why I would love a "real" merge and not just one for vulnerabilities. It would be even cooler if there was some kind of precedence like the config in the home directory is "winning" over the one in the repository. Hope I could explain myself a bit further and If pointed correctly I would be happy to help out.
PS: I would love to have the same for syft!
from grype.
Hi @henrysachs it sounds like you'd only want to merge ignored vulnerabilities, is that correct? Or are there other parts of the config you'd expect to merge?
from grype.
@willmurphyscode for my Part merging ignores would be sufficient
from grype.
Hey @henrysachs - we discussed this during the latest live stream (at the start).
A few options were discussed. One suggestion raised was VEX support in Grype - which already exists.
Have you considered using this existing functionality to ignore vulnerabilities you're not interested in getting notified about?
You can pass multiple VEX documents to Grype, so you can point to a number of separate documents which may exist in different folders in your hierarchy.
from grype.
👋 We will discuss this topic at our next Open Source Gardening Live Stream later today. Anyone interested in the topic is welcome to join. All the details are in this thread 🎉
from grype.
Related Issues (20)
- Filter output by severity HOT 3
- False Positive: GHSA-248v-346w-9cwc/(CVE-2024-39689) reported for certifi library in python HOT 2
- False negatives on Java org.webjars/bootstrap and org.webjars/jquery HOT 3
- Fail if explicitly specified config file is absent HOT 1
- Update operations are non atmoic across processes HOT 1
- Grype should expand `~` in paths in config file HOT 1
- Top level `output` config should only affect grype root command HOT 1
- Different results scanning PHP SBOMs generated by cdxgen and Syft HOT 1
- Ignoring search results when CPE is not set in the SBOM HOT 1
- Scan specific file
- Noisy INFO logs on scanning composer.lock SBOM generated by Syft
- Failed to parse constraint of CVE-2024-6345 which fails the scan HOT 6
- Check for stale DB on quality gate runs
- Grype only supports SKOPEO when using 'docker-archive' format. HOT 2
- Possible FP GHSA-6757-jp84-gxfx \ CVE-2020-1747
- Posiible FP on pillow package inside amazon image
- False Positive: GHSA-jfmj-5v4g-7637 (CVE-2024-5569) python3-zipp due to Syft noise and mismatch of package name
- Grype panics with a nil pointer dereference error when given an empty string argument
- no grype db was published since 17.8 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grype.