Identify temporary vulnerability exclusions in sections in .grype.yaml#955
Open
elelaysh wants to merge 1 commit into
Open
Identify temporary vulnerability exclusions in sections in .grype.yaml#955elelaysh wants to merge 1 commit into
elelaysh wants to merge 1 commit into
Conversation
elelaysh
force-pushed
the
feat/arrange-grype-sections
branch
from
77d1900 to
d64f889
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We intend to allow some vulnerabilities temporarily, while keeping a close eye on them.
By allowing a vulnerability as soon as it has been analyzed, we the CI status can get back to green and we will be sure to notice new vulnerabilities thereafter.
If we don't allow vulnerabilities temporarily the Check will be "red" more often due to them and we might fail to notice new vulnerabilities.
We shall put those vulnerability ignore lists in
VULNERABILITIES WE ARE STILL MONITORINGand temporary path exclusions inTEMPORARY EXCLUSIONS.We also intend to run scheduled jobs that will run grype without those temporary allow lists, to keep an eye on them and remove them from the list when not needed.
I've not created the scheduled run yet, but made a simple program to remove temporary exclusions from the file.
We would use it like
./dev/remove-tmp-grype-exclusions.py .grype.yaml > .grype.clean.yaml && grype -c .grype.clean.yaml ...