grype
grype copied to clipboard
Published
20 hours ago •
anchore
anchore
ignoredMatches dropped from results when using both by-cve and only-fixed config or CLI args
What happened:
The ignoredMatches[] array that should be created when using --only-fixed or providing any custom ignore rules are dropped when also using --by-cve.
What you expected to happen:
The ignoredMatches[] array should be present in any result outputs when any ignore rules or config items that dynamically add ignore rules (like --only-fixed) are provided either via the config yaml or CLI args.
How to reproduce it (as minimally and precisely as possible):
Baseline showing json results with expected ignoredMatches[] array, with 98 not-fixed/wont-fix items
% grype --only-fixed -o json nginx:latest | jq '.ignoredMatches | length'
✔ Vulnerability DB [no update available]
✔ Loaded image nginx:latest
✔ Parsed image sha256:2a4fbb36e96607b16e5af2e24dc6a1025a4795520c98c6b9ead9c4113617cb73
✔ Cataloged packages [152 packages]
✔ Scanned for vulnerabilities [124 vulnerability matches]
├── by severity: 0 critical, 8 high, 30 medium, 4 low, 71 negligible (11 unknown)
└── by status: 26 fixed, 98 not-fixed, 0 ignored
98
Provide --by-cve and --only-fixed via CLI args, ignoredMatches[] array is missing and has zero length
% grype --by-cve --only-fixed -o json nginx:latest | jq '.ignoredMatches | length'
✔ Vulnerability DB [no update available]
✔ Loaded image nginx:latest
✔ Parsed image sha256:2a4fbb36e96607b16e5af2e24dc6a1025a4795520c98c6b9ead9c4113617cb73
✔ Cataloged packages [152 packages]
✔ Scanned for vulnerabilities [124 vulnerability matches]
├── by severity: 0 critical, 8 high, 30 medium, 4 low, 71 negligible (11 unknown)
└── by status: 26 fixed, 98 not-fixed, 0 ignored
0
Provide --by-cve and --only-fixed via config yaml, ignoredMatches[] array is missing and has zero length
% cat only-fixed-by-cve.yaml
only-fixed: true
by-cve: true
% grype --config ./only-fixed-by-cve.yaml -o json nginx:latest | jq '.ignoredMatches | length'
✔ Vulnerability DB [no update available]
✔ Loaded image nginx:latest
✔ Parsed image sha256:2a4fbb36e96607b16e5af2e24dc6a1025a4795520c98c6b9ead9c4113617cb73
✔ Cataloged packages [152 packages]
✔ Scanned for vulnerabilities [124 vulnerability matches]
├── by severity: 0 critical, 8 high, 30 medium, 4 low, 71 negligible (11 unknown)
└── by status: 26 fixed, 98 not-fixed, 0 ignored
0
Anything else we need to know?:
When running in debug mode and not using the --by-cve arg, we see the following output when the ignoredMatches[] are correctly output:
[0001] INFO ignoring 98 matches due to user-provided ignore rules
[0001] INFO found 124 vulnerability matches across 150 packages
[0001] DEBUG ├── fixed: 26
[0001] DEBUG ├── ignored: 0 (due to user-provided rule)
[0001] DEBUG ├── dropped: 0 (due to hard-coded correction)
[0001] DEBUG └── matched: 124
[0001] DEBUG ├── unknown severity: 11
[0001] DEBUG ├── negligible: 71
[0001] DEBUG ├── low: 4
[0001] DEBUG ├── medium: 30
[0001] DEBUG ├── high: 8
[0001] DEBUG └── critical: 0
[0001] INFO ignored 98 vulnerability matches
<snipped list of 98 ignored matches>
When running in debug with both args provided we just see the matches and not ignored matches:
[0002] INFO ignoring 98 matches due to user-provided ignore rules
[0002] INFO found 124 vulnerability matches across 150 packages
[0002] DEBUG ├── fixed: 26
[0002] DEBUG ├── ignored: 0 (due to user-provided rule)
[0002] DEBUG ├── dropped: 0 (due to hard-coded correction)
[0002] DEBUG └── matched: 124
[0002] DEBUG ├── unknown severity: 11
[0002] DEBUG ├── negligible: 71
[0002] DEBUG ├── low: 4
[0002] DEBUG ├── medium: 30
[0002] DEBUG ├── high: 8
[0002] DEBUG └── critical: 0
{
"matches": [
Environment:
- Output of
grype version:
% grype version
Application: grype
Version: 0.69.1
BuildDate: 2023-09-27T16:51:03Z
GitCommit: dec563669d683ab4d11e95a28635099673363d80
GitDescription: v0.69.1
Platform: linux/amd64
GoVersion: go1.21.1
Compiler: gc
Syft Version: v0.92.0
Supported DB Schema: 5
- OS (e.g:
cat /etc/os-releaseor similar):
NAME="Red Hat Enterprise Linux Server"
VERSION="7.9 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.9 (Maipo)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.9:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.9
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.9"
This still happens today (adding a sha to the image to make repro steps more deterministic):
$ grype -q --by-cve --only-fixed -o json nginx@sha256:10d1f5b58f74683ad34eb29287e07dab1e90f10af243f151bb50aa5dbb4d62ee | jq '.ignoredMatches | length'
0
$ grype -q --only-fixed -o json nginx@sha256:10d1f5b58f74683ad34eb29287e07dab1e90f10af243f151bb50aa5dbb4d62ee | jq '.ignoredMatches | length'
109
Thanks for the report @mathrock! I'm moving this to the backlog.
