hello!
i’m trying to understand better the kernel-header ignore in grype.
i have this example of image:
I want to understand how can i see if a CVE was ignored, i see the ignore configuration at the end of the schema, but not sure if it is in use or not, or what should i expect if a CVE was ignored.
FROM amazonlinux:2023.5.20240624.0@sha256:5bf791027b4659e73c33a88a3fa2b314b8e2c0ee60cb1088a097171ee7f180db
# Update repositories and install necessary packages
RUN yum update -y && \
yum install -y tar gzip && \
yum search kernel | grep 'kernel-' && \
yum install -y kernel
# Optionally, you can list installed packages to confirm
RUN rpm -qa | grep kernel
example of the schema:
"ignore": [
{
"vulnerability": "",
"reason": "",
"namespace": "",
"fix-state": "",
"package": {
"name": "kernel-headers",
"version": "",
"language": "",
"type": "rpm",
"location": "",
"upstream-name": "kernel"
},
"vex-status": "",
"vex-justification": "",
"match-type": "exact-indirect-match"
},
{
"vulnerability": "",
"reason": "",
"namespace": "",
"fix-state": "",
"package": {
"name": "linux-headers-.*",
"version": "",
"language": "",
"type": "deb",
"location": "",
"upstream-name": "linux"
},
"vex-status": "",
"vex-justification": "",
"match-type": "exact-indirect-match"
},
{
"vulnerability": "",
"reason": "",
"namespace": "",
"fix-state": "",
"package": {
"name": "linux-libc-dev",
"version": "",
"language": "",
"type": "deb",
"location": "",
"upstream-name": "linux"
},
"vex-status": "",
"vex-justification": "",
"match-type": "exact-indirect-match"
}
],