Add vex-add setting

This commit adds a new setting to the appconfig struct: vex-add This setting is a list of strings that can take `affected` and `under_investigation` as values. When these are set, grype will add new vex ignore rules that cause ignored results to be moved back to the active matches set when VEX statements with these statuses are matched. This setting does not have a CLI flag. It can only be set by defining the `GRYPE_VEX_ADD` environment variable or directly in the configuration file. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
anchore · Aug 23, 2023 · 3651b1f · 3651b1f
1 parent 6253bca
commit 3651b1f
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/cmd/grype/cli/legacy/root.go b/cmd/grype/cli/legacy/root.go
@@ -373,6 +373,24 @@ func startWorker(userInput string, failOnSeverity *vulnerability.Severity) <-cha
 			appConfig.Ignore = append(appConfig.Ignore, ignoreVEXFixedNotAffected...)
 		}
 
+		if len(appConfig.VexAdd) > 0 {
+			for _, vexStatus := range appConfig.VexAdd {
+				switch vexStatus {
+				case string(vex.StatusAffected):
+					appConfig.Ignore = append(
+						appConfig.Ignore, match.IgnoreRule{VexStatus: string(vex.StatusAffected)},
+					)
+				case string(vex.StatusUnderInvestigation):
+					appConfig.Ignore = append(
+						appConfig.Ignore, match.IgnoreRule{VexStatus: string(vex.StatusUnderInvestigation)},
+					)
+				default:
+					errs <- fmt.Errorf("invalid VEX status in vex-add setting: %s", vexStatus)
+					return
+				}
+			}
+		}
+
 		applyDistroHint(packages, &pkgContext, appConfig)
 
 		vulnMatcher := grype.VulnerabilityMatcher{

diff --git a/internal/config/application.go b/internal/config/application.go
@@ -58,6 +58,7 @@ type Application struct {
 	Name                   string                  `yaml:"name" json:"name" mapstructure:"name"`
 	DefaultImagePullSource string                  `yaml:"default-image-pull-source" json:"default-image-pull-source" mapstructure:"default-image-pull-source"`
 	VexDocuments           []string                `yaml:"vex-documents" json:"vex-documents" mapstructure:"vex-documents"`
+	VexAdd                 []string                `yaml:"vex-add" json:"vex-add" mapstructure:"vex-add"` // GRYPE_VEX_ADD
 }
 
 func newApplicationConfig(v *viper.Viper, cliOpts CliOnlyOptions) *Application {
@@ -94,6 +95,7 @@ func (cfg Application) loadDefaultValues(v *viper.Viper) {
 	// set the default values for primitive fields in this struct
 	v.SetDefault("check-for-app-update", true)
 	v.SetDefault("default-image-pull-source", "")
+	v.SetDefault("vex-add", []string{})
 
 	// for each field in the configuration struct, see if the field implements the defaultValueLoader interface and invoke it if it does
 	value := reflect.ValueOf(cfg)