Grype filtering through CVSS vector

[sambhav]

What would you like to be added:

Grype currently ouputs a CVSS vector. Grype also has the ability to set a config file describing the kind of components that should be filtered from the output. It would be great if we can filter grype outputs based on certain parts of the CVSS vector (for eg. network exploitable vuln.)

Why is this needed:

Allows users to create filters for CVEs that actually affect their runtime env.

Additional context:

https://www.first.org/cvss/calculator/3.0

TODO: How to express the filter string/configuration.

[luhring]

This is such a great idea. 🎉

Also leaving a couple of thoughts...

• Not all of Grype's matches have CVSS data, since it depends on if the matched upstream source had CVSS data. Just something to think about as we design the filtering semantics... (e.g. if I want only "network" vector vulnerabilities, do I show the non-CVSS matches? If I want to filter out the "network" vector vulnerabilities, do I show the non-CVSS matches?)

• For implementation: Does this tie into the existing IgnoreRules system, or is this something new?

[sambhav]

An idea on how to filter on CVSS fields - treat each field with a subset of glob matching rules - by default all fields that are not specified are assumed to be wildcards or will match any values that are present

for eg

CVSS:3.1/AV:[NAL]

will match all CVSS vectors with AV set to N, A or L.

Alternatively we can also specify

CVSS:3.1/AV:!P

to match all attack vector not equal to physical.

Alternatively we can also use regex, in which case it will look like -

CVSS:3.1/AV:[NAL]

or

CVSS:3.1/AV:[^P]

[spiffcs]

@samj1912 if you are interested we'd be happy to accept a PR that filters based on the glob matching rules you supplied above.

cc @wagoodman if he has any concerns about using those rules or if there is an edge case we might be missing on the above.