From 3651b1f94c806f456d7f68c6603877f853f35508 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adolfo=20Garc=C3=ADa=20Veytia=20=28Puerco=29?=
 <puerco@chainguard.dev>
Date: Tue, 22 Aug 2023 21:22:24 -0600
Subject: [PATCH] Add vex-add setting
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit adds a new setting to the appconfig struct: vex-add

This setting is a list of strings that can take `affected` and
`under_investigation` as values. When these are set, grype will
add new vex ignore rules that cause ignored results to be moved
back to the active matches set when VEX statements with these
statuses are matched.

This setting does not have a CLI flag. It can only be set by defining
the `GRYPE_VEX_ADD` environment variable or directly in the
configuration file.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
---
 cmd/grype/cli/legacy/root.go   | 18 ++++++++++++++++++
 internal/config/application.go |  2 ++
 2 files changed, 20 insertions(+)

diff --git a/cmd/grype/cli/legacy/root.go b/cmd/grype/cli/legacy/root.go
index 78735b5eca9a..f8bee6752bab 100644
--- a/cmd/grype/cli/legacy/root.go
+++ b/cmd/grype/cli/legacy/root.go
@@ -373,6 +373,24 @@ func startWorker(userInput string, failOnSeverity *vulnerability.Severity) <-cha
 			appConfig.Ignore = append(appConfig.Ignore, ignoreVEXFixedNotAffected...)
 		}
 
+		if len(appConfig.VexAdd) > 0 {
+			for _, vexStatus := range appConfig.VexAdd {
+				switch vexStatus {
+				case string(vex.StatusAffected):
+					appConfig.Ignore = append(
+						appConfig.Ignore, match.IgnoreRule{VexStatus: string(vex.StatusAffected)},
+					)
+				case string(vex.StatusUnderInvestigation):
+					appConfig.Ignore = append(
+						appConfig.Ignore, match.IgnoreRule{VexStatus: string(vex.StatusUnderInvestigation)},
+					)
+				default:
+					errs <- fmt.Errorf("invalid VEX status in vex-add setting: %s", vexStatus)
+					return
+				}
+			}
+		}
+
 		applyDistroHint(packages, &pkgContext, appConfig)
 
 		vulnMatcher := grype.VulnerabilityMatcher{
diff --git a/internal/config/application.go b/internal/config/application.go
index 82d40aa4521b..7a4b01ca31b5 100644
--- a/internal/config/application.go
+++ b/internal/config/application.go
@@ -58,6 +58,7 @@ type Application struct {
 	Name                   string                  `yaml:"name" json:"name" mapstructure:"name"`
 	DefaultImagePullSource string                  `yaml:"default-image-pull-source" json:"default-image-pull-source" mapstructure:"default-image-pull-source"`
 	VexDocuments           []string                `yaml:"vex-documents" json:"vex-documents" mapstructure:"vex-documents"`
+	VexAdd                 []string                `yaml:"vex-add" json:"vex-add" mapstructure:"vex-add"` // GRYPE_VEX_ADD
 }
 
 func newApplicationConfig(v *viper.Viper, cliOpts CliOnlyOptions) *Application {
@@ -94,6 +95,7 @@ func (cfg Application) loadDefaultValues(v *viper.Viper) {
 	// set the default values for primitive fields in this struct
 	v.SetDefault("check-for-app-update", true)
 	v.SetDefault("default-image-pull-source", "")
+	v.SetDefault("vex-add", []string{})
 
 	// for each field in the configuration struct, see if the field implements the defaultValueLoader interface and invoke it if it does
 	value := reflect.ValueOf(cfg)