ignore CVEs by pattern-matching in Summary field

[hdhoang]

Hi! In our environment, we can blacklist whole linux modules (eg NFC, bluetooth, InfiniBand networking). We would like a feature to ignore CVEs by a keyword list, preferrably also applied to API server submissions.

What do you think? Thanks

[shigechika]

Did you try ignorePkgsRegexps option? https://vuls.io/docs/en/usage-report.html#example-ignorepkgsregexp

[hdhoang]

ignorePkgsRegexp has different granularity. All of the modules and their CVEs are covered under one package regex ^linux-image-.* (in our Debian env). This would suppress other relevant CVEs.

Thanks!

(aside: this option and related ignoreCves are not working for us via API server, cf#1267 )

[qwexvf]

Hi @hdhoang i just submitted a PR for #1267 which is #1270 hopefully it gets merged soon <3 Also, Could you give us more example of what you want and how would your keyword list would look like?

Thanks.

[MaineK00n]

Isn't what you're expecting is that you want to ignore CVE's that are pattern matched in the summary field in cveContents(ex. cveContents[nvd][summary], cveContents[ubuntu][summary]), and you want to be able to accept keywords that match that pattern?

[hdhoang]

I imagine the setting entry (for default list, and servers, containers tables) look like:

ignoreSummaryPatterns = [
  "* DISPUTED *",
  "f2fs filesystem",
  "drivers/net/wireless",
]

and the CVE is skipped if any of the datasource Summary fields contains such a substring. Cascading/shadowing behaviour should be consistent with other ignore* settings.

ex. cveContents[nvd][summary], cveContents[ubuntu][summary]

Ah, that's deeper structure than I imagined, thanks for clarifying.

[hdhoang]

ah feel free to reopen if people want this feature. thanks for the effort