more information:
the grype result size is 1.8gb
the sbom size is 140mb~
can’t share the sbom, but i wonder if a can filter in runtime the results (maybe only high \ critical, maybe can remove duplicate CVEs)
this is example of top packages and number of vulnerabilities:
3971 linux-modules-5.3.0-1017-aws
3971 linux-image-5.3.0-1017-aws
3971 linux-aws-5.3-headers-5.3.0-1017
3960 linux-modules-5.3.0-1019-aws
3960 linux-image-5.3.0-1019-aws
3960 linux-aws-5.3-headers-5.3.0-1019
3956 linux-modules-5.3.0-1028-aws
3956 linux-modules-5.3.0-1023-aws
3956 linux-image-5.3.0-1028-aws
3956 linux-image-5.3.0-1023-aws
I’m afraid that even after this pr will be merged - fix upstream match for linux-.*-headers-.* by barnuri · Pull Request #2320 · anchore/grype · GitHub
the file will be big, since we include the ignored matches.
so I have few suggestions here -
- add the option to filter out ignored matches to reduce the file size
- don’t include the ignore vulnerabilities in the memory, since it can be thousands of results.
- adding complex ignores so we will not need to merge to grype (and each user can make his own ignores)
- filter out vulnerabilities by severity (in runtime)