Kernel headers ignore

TimBrown1611 · November 26, 2024, 3:48pm

hello!
i’m trying to understand better the kernel-header ignore in grype.
i have this example of image:
I want to understand how can i see if a CVE was ignored, i see the ignore configuration at the end of the schema, but not sure if it is in use or not, or what should i expect if a CVE was ignored.

FROM amazonlinux:2023.5.20240624.0@sha256:5bf791027b4659e73c33a88a3fa2b314b8e2c0ee60cb1088a097171ee7f180db

# Update repositories and install necessary packages
RUN yum update -y && \
    yum install -y tar gzip && \
    yum search kernel | grep 'kernel-' && \
    yum install -y kernel

# Optionally, you can list installed packages to confirm
RUN rpm -qa | grep kernel

example of the schema:

      "ignore": [
        {
          "vulnerability": "",
          "reason": "",
          "namespace": "",
          "fix-state": "",
          "package": {
            "name": "kernel-headers",
            "version": "",
            "language": "",
            "type": "rpm",
            "location": "",
            "upstream-name": "kernel"
          },
          "vex-status": "",
          "vex-justification": "",
          "match-type": "exact-indirect-match"
        },
        {
          "vulnerability": "",
          "reason": "",
          "namespace": "",
          "fix-state": "",
          "package": {
            "name": "linux-headers-.*",
            "version": "",
            "language": "",
            "type": "deb",
            "location": "",
            "upstream-name": "linux"
          },
          "vex-status": "",
          "vex-justification": "",
          "match-type": "exact-indirect-match"
        },
        {
          "vulnerability": "",
          "reason": "",
          "namespace": "",
          "fix-state": "",
          "package": {
            "name": "linux-libc-dev",
            "version": "",
            "language": "",
            "type": "deb",
            "location": "",
            "upstream-name": "linux"
          },
          "vex-status": "",
          "vex-justification": "",
          "match-type": "exact-indirect-match"
        }
      ],

willmurphy · November 26, 2024, 9:36pm

Hi @TimBrown1611! Thanks for the question.

If you pass -o json to Grype, any CVEs that were ignored will be reported under the ignoredMatches in the JSON. So if you want to know whether any CVEs were ignored, just look at the JSON output and see if there’s anything under ignoredMatches.

The JSON you pasted is the end of a Grype JSON output, where we are showing the config with which Grype was invoked. Specifically, we are showing the ignore rules.

Grype has a config option called match-upstream-kernel-headers that defaults to false. When this value is false, Grype adds 3 ignore rules to the config:

github.com

anchore/grype/blob/main/cmd/grype/cli/commands/root.go#L106-L110


      
          	{Package: match.IgnoreRulePackage{Name: "kernel-headers", UpstreamName: "kernel", Type: string(syftPkg.RpmPkg)}, MatchType: match.ExactIndirectMatch},
          	{Package: match.IgnoreRulePackage{Name: "linux-.*-headers-.*", UpstreamName: "linux", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch},
          	{Package: match.IgnoreRulePackage{Name: "linux-libc-dev", UpstreamName: "linux", Type: string(syftPkg.DebPkg)}, MatchType: match.ExactIndirectMatch},
          }

These 3 rules cause Grype to ignore CVEs that meet the following criteria:

The package name is kernel-headers, linxus-headers-.* (regex match), or linux-libc-dev
The match type is Indirect
The upstream package is called kernel or linux

What this means in simple terms is: When scanning an image, if you find an RPM (or dpkg or apk or whatever) who’s name is kernel-headers and whose upstream is kernel, ignore indirect vulnerabilities. That is, don’t assume that just because an RPM that includes header files related to the kernel is in a container, that a vulnerability in the kernel itself is present in the container.

When scanning images, this makes sense, because there is no kernel in the image, so a kernel vulnerability would be a property of the host running the kernel anyway. Basically, Grype by default won’t report vulnerabilities in the Linux kernel itself against your image just because it has some RPMs with kernel header files in them installed.

Does that make sense? Have I answered your question?

TimBrown1611 · November 26, 2024, 9:49pm

hi! yes, the answer was comprehensive.
can I add rules of myself?
recently i am trying to reduce “noise” and duplicate vulnerabilities in VMs scan, most of them from rpm

willmurphy · November 26, 2024, 9:59pm

Yes, you can add ignore rules yourself, see GitHub - anchore/grype: A vulnerability scanner for container images and filesystems

TimBrown1611 · November 27, 2024, 5:43am

is it possible to add more complex rules?
the rules today apply to a single match, however in my case i want an ignore will be at a context of other matches.
for example:
if a match applies to a package from a direct match, don’t include other indirect matches for the same package.

willmurphy · November 27, 2024, 5:12pm

Today you would have to do that by post processing Grype’s output; there’s no config for that.

The main use case for ignore rules is basically to say, “we have researched this CVE, and the way we are using this package means that we are not vulnerable, so suppress this CVE for this package,” or similar rules.

TimBrown1611 · November 27, 2024, 5:16pm

thanks!
do you think it makes any sense to look into CVEs from indierct \ cpe match, in case other CVEs were provided from direct match?

Topic		Replies	Views
Why rpmSource \ source is needed? Grype	9	58	November 26, 2024
How can we make Grype's output more focused? Grype	12	759	January 30, 2025
Missing vulnerabilites in container image scans? Grype	2	59	August 14, 2024
Matching vulnerabilities using upstream without versions Grype	1	57	December 3, 2024
Grype is showing all critical vulnerabilities even in latest gitlab-ce 17.5.0 docker image are not fixed :( Grype discuss	6	227	October 24, 2024

Kernel headers ignore

Related topics