First thing: I like the idea of excluding suppressed things by default, and only including them with --show-suppressed
, and my vote would be to make this consistent across all outputs – table and JSON, so a user does not get a large set of ignored matches by default.
As we talked about, this has overlap with a desire to consolidate parameters (such as --only-fixed
and kin) and avoid making a large number of flags. See Grype issue 197 for the similar discussion/suggestion.
As such, I think most users understand the ignore
feature, and I would think adding an ignore flag might be a relatively simple path forward. Here’s what it looks like today in the config file:
ignore:
# This is the full set of supported rule fields:
- vulnerability: CVE-2008-4318
fix-state: unknown
# VEX fields apply when Grype reads vex data:
vex-status: not_affected
vex-justification: vulnerable_code_not_present
severity: medium # this doesn't exist today
package:
name: libcurl
version: 1.5.1
type: npm
location: "/usr/local/lib/node_modules/**"
Let’s say the user just wants to ignore a vulnerability ID, this could potentially be mapped to a CLI flag like:
grype --ignore vulnerability:CVE-2008-4318
The CLI could be a bit smarter about it and allow for some specific known single values to omit the qualifier and/or specify multiple values with a list separated by something, e.g.:
grype --ignore CVE-2008-4318 --ignore not-fixed --ignore package-name:libcurl,package-version:1.5.1,package-type:npm
… as for the severity ignore, I can’t really think of a reason a user would want to ignore a specific severity but include “lower” severities, so I’d vote to make something like: --ignore medium
identify that medium is a known severity keyword (or --ignore severity:medium
with the qualifier), and ignore all matches with medium and below.
Perhaps there could be an flag to do opposite things, so --only fixed
or --only severity:medium
could behave as you might expect.