feat: add ignore support

Signed-off-by: Christian Kotzbauer <[email protected]>

README.md

@@ -51,6 +51,7 @@ All parameters are cli-flags.
 | `cron` | `false` | `@hourly` | Backround-Service interval (CRON). All options from [github.com/robfig/cron](https://github.com/robfig/cron) are allowed |
 | `sources` | `false` | `git` | Comma-delimited list of sources to gather SBOMs from. Possible source currently only `git` |
 | `targets` | `false` | `json` | Comma-delimited list of targets to sent vulnerability-data to. Possible targets `json`, `metrics` |
+| `grype-config-file` | `false` | `""` | Path to grype-config-file to specify ignore-rules. |
 | `only-fixed` | `false` | `false` | Only report CVEs where a fix is available. |
 | `min-severity` | `false` | `medium` | Only report CVEs with a severity greater or equal (negligible, low, medium, high, critical). |
 | `git-workingtree` | `false` | `/work` | Directory to place the git-repo. |

go.mod

@@ -151,5 +151,5 @@ require (
 	golang.org/x/sys v0.0.0-20220209214540-3681064d5158 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	gopkg.in/ini.v1 v1.66.4 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0
 )

internal/vuln/config.go

@@ -1,16 +1,17 @@
 package vuln
 
 var (
-	ConfigKeyVerbosity      = "verbosity"
-	ConfigKeyCron           = "cron"
-	ConfigKeySources        = "sources"
-	ConfigKeyTargets        = "targets"
-	ConfigKeyOnlyFixed      = "only-fixed"
-	ConfigKeyMinSeverity    = "min-severity"
-	ConfigKeyGitWorkingTree = "git-workingtree"
-	ConfigKeyGitRepository  = "git-repository"
-	ConfigKeyGitBranch      = "git-branch"
-	ConfigKeyGitPath        = "git-path"
-	ConfigKeyGitAccessToken = "git-access-token"
-	ConfigKeyReportsDir     = "reports-dir"
+	ConfigKeyVerbosity       = "verbosity"
+	ConfigKeyCron            = "cron"
+	ConfigKeySources         = "sources"
+	ConfigKeyTargets         = "targets"
+	ConfigKeyGrypeConfigFile = "grype-config-file"
+	ConfigKeyOnlyFixed       = "only-fixed"
+	ConfigKeyMinSeverity     = "min-severity"
+	ConfigKeyGitWorkingTree  = "git-workingtree"
+	ConfigKeyGitRepository   = "git-repository"
+	ConfigKeyGitBranch       = "git-branch"
+	ConfigKeyGitPath         = "git-path"
+	ConfigKeyGitAccessToken  = "git-access-token"
+	ConfigKeyReportsDir      = "reports-dir"
 )

internal/vuln/daemon/daemon.go

@@ -68,7 +68,13 @@ func (c *CronService) runBackgroundService() {
 		t.Initialize()
 	}
 
-	gr := grype.New()
+	gr, err := grype.New()
+
+	if err != nil {
+		c.printNextExecution()
+		running = false
+		return
+	}
 
 	for _, sbom := range sboms {
 		vulns, err := gr.ScanSbom(sbom)

internal/vuln/grype/grype.go

@@ -16,15 +16,46 @@ import (
 	"github.com/ckotzbauer/vulnerability-operator/internal/vuln/source"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/viper"
+	"gopkg.in/yaml.v2"
 )
 
 type Grype struct {
 	provider         vulnerability.Provider
 	metadataProvider vulnerability.MetadataProvider
 	kubeClient       *kubernetes.KubeClient
+	config           grypeConfig
 }
 
-func New() Grype {
+type grypeConfig struct {
+	Ignore []match.IgnoreRule `yaml:"ignore"`
+}
+
+func New() (Grype, error) {
+	grypeConfigFile := viper.GetString(vuln.ConfigKeyGrypeConfigFile)
+	grypeCfg := grypeConfig{}
+
+	if grypeConfigFile != "" {
+		_, err := os.Stat(grypeConfigFile)
+		if err == nil {
+			data, err := os.ReadFile(grypeConfigFile)
+			if err != nil {
+				logrus.WithError(err).Errorf("Count not load grype-config-file at %s", grypeConfigFile)
+				return Grype{}, err
+			}
+
+			err = yaml.Unmarshal(data, &grypeCfg)
+			if err != nil {
+				logrus.WithError(err).Error("Failed to unmarshal the grype-config")
+				return Grype{}, err
+			}
+		}
+
+		if err != nil {
+			logrus.Error(err)
+			return Grype{}, err
+		}
+	}
+
 	config := db.Config{
 		ListingURL: "https://toolbox-data.anchore.io/grype/databases/listing.json",
 		DBRootDir:  "/tmp/grype/db",
@@ -34,12 +65,12 @@ func New() Grype {
 	provider, metadataProvider, dbStatus, err := grype.LoadVulnerabilityDB(config, true)
 	if err = validateDBLoad(err, dbStatus); err != nil {
 		logrus.Error(err)
-		return Grype{}
+		return Grype{}, err
 	}
 
 	client := kubernetes.NewClient()
 
-	return Grype{provider: provider, metadataProvider: metadataProvider, kubeClient: client}
+	return Grype{provider: provider, metadataProvider: metadataProvider, kubeClient: client, config: grypeCfg}, nil
 }
 
 func (s *Grype) ScanSbom(sbom source.Sbom) ([]Vulnerability, error) {
@@ -63,7 +94,8 @@ func (s *Grype) ScanSbom(sbom source.Sbom) ([]Vulnerability, error) {
 	}
 
 	allMatches := grype.FindVulnerabilitiesForPackage(s.provider, context.Distro, packages...)
-	vulns := s.buildVulnerabilities(allMatches, sbom.ImageID)
+	remainingMatches, _ := match.ApplyIgnoreRules(allMatches, s.config.Ignore)
+	vulns := s.buildVulnerabilities(remainingMatches, sbom.ImageID)
 	return filterVulnerabilities(vulns), nil
 }
 

main.go

@@ -53,6 +53,7 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&daemonCron, vuln.ConfigKeyCron, "c", "@hourly", "Backround-Service interval (CRON)")
 	rootCmd.PersistentFlags().StringSlice(vuln.ConfigKeySources, []string{"git"}, "Comma-delimited list of sources to gather SBOMs from (git).")
 	rootCmd.PersistentFlags().StringSlice(vuln.ConfigKeyTargets, []string{"json"}, "Comma-delimited list of targets to sent vulnerability-data to (json, metrics).")
+	rootCmd.PersistentFlags().String(vuln.ConfigKeyGrypeConfigFile, "", "Path to grype-config-file to specify ignore-rules.")
 	rootCmd.PersistentFlags().Bool(vuln.ConfigKeyOnlyFixed, false, "Only report CVEs where a fix is available.")
 	rootCmd.PersistentFlags().String(vuln.ConfigKeyMinSeverity, "medium", "Only report CVEs with a severity greater or equal (negligible, low, medium, high, critical).")
 	rootCmd.PersistentFlags().String(vuln.ConfigKeyGitWorkingTree, "/work", "Directory to place the git-repo.")