Thanks @maskitron!
It sounds like the goal with this change is to make the output JSON smaller. I wanted to confirm this, because a lot of our discussions were about ideas that would make the standard table output smaller, but would not actually make the JSON smaller (because matches would be moved from the matches key in the JSON to the ignoredMatches key).
I’m going to propose a few changes to Grype. We’ll try discussing these at the next community meeting.
- Add a
min-severityflag, that takes any severity level (negligible, low, medium, high, or critical) and ignores every severity below that level. Sogrype --min-severity low my-imagewould scan the image and ignore negligible severities,grype --min-severity mediumwould ignore low and negligible, etc. - Change
show-suppressedconfig value to affect JSON output. This value will default to “false” for the table format and “true” for other formats, but will be respected by the presenter of any format. - Change the config file to enable adding an entry like
- severity: negligibleto theignorenode in Grype’s config file. (You can see a sample of the current file by runninggrype config).
At the next community meeting (tomorrow) we’ll try to discuss the pros and cons of making this particular change to Grype.
@maskitron for your use case, you would do something like GRYPE_SHOW_SUPPRESS=false GRYPE_MIN_SEVERITY=low grype ... and it would make JSON that includes none of the ignore vulnerabilities. Would that meet your us case?