VEX documents not taken into account when --fail-on is set #1639
Description
What happened:
Using the --fail-on flag doesn't appear to take into account the contents of a VEX document that has been provided using the --vex flag - even if several CVEs have been marked as not_affected in the VEX document, the command still fails when the --fail-on flag is set.
This is inconsistent with the behaviour shown when a .grype.yaml file is used with an ignore block defined, despite VEX documents and the ignore block having similar purposes.
What you expected to happen:
If Grype is invoked with both --vex and --fail-on set, and all CVEs in the scanned image are defined as not_affected in the VEX document, I would expect the command to pass successfully, as it does when all such CVEs are defined in a .grype.yaml ignore block.
How to reproduce it (as minimally and precisely as possible):
Create the following VEX doc and save it as test-vex.json:
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-cb58dca06abcf3da095d3f5e6126128aeb39b145e57d4eac468483eb75b5c014",
"author": "Unknown Author",
"timestamp": "2023-12-18T12:00:54.292255Z",
"last_updated": "2023-12-18T12:01:58.35081Z",
"version": 4,
"statements": [
{
"vulnerability": {
"name": "CVE-2023-42366"
},
"timestamp": "2023-12-18T12:00:54.292256Z",
"products": [
{
"@id": "pkg:oci/busybox"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path"
},
{
"vulnerability": {
"name": "CVE-2023-42365"
},
"timestamp": "2023-12-18T12:01:17.799359Z",
"products": [
{
"@id": "pkg:oci/busybox"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path"
},
{
"vulnerability": {
"name": "CVE-2023-42364"
},
"timestamp": "2023-12-18T12:01:41.069995Z",
"products": [
{
"@id": "pkg:oci/busybox"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path"
},
{
"vulnerability": {
"name": "CVE-2023-42363"
},
"timestamp": "2023-12-18T12:01:58.35081Z",
"products": [
{
"@id": "pkg:oci/busybox"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path"
}
]
}
Using the --vex flag with the JSON file above to filter out the CVEs works as expected:
➜ ~ grype busybox:1.36.1@sha256:b920f79ed6b477f64b7cbce0c4458ba09ffdbf8c8dbd025bc8bf5baa999255e3 --vex test-vex.json
✔ Vulnerability DB [no update available]
✔ Loaded image busybox:1.36.1@sha256:b920f79ed6b477f64b7cbce0c4458ba09ffdbf8c8dbd025bc8bf5baa999255e3
✔ Parsed image sha256:a6969cfac53d7d994eabab99ef8080b8495ae7ddd34731128718316797c2244b
✔ Cataloged packages [1 packages]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 4 medium, 0 low, 0 negligible
└── by status: 0 fixed, 4 not-fixed, 4 ignored
No vulnerabilities found
However, if you set the --fail-on flag, the --vex flag is ignored and the vulnerabilities reappear.
➜ ~ grype busybox:1.36.1@sha256:b920f79ed6b477f64b7cbce0c4458ba09ffdbf8c8dbd025bc8bf5baa999255e3 --vex test-vex.json --fail-on medium
✔ Vulnerability DB [no update available]
✔ Loaded image busybox:1.36.1@sha256:b920f79ed6b477f64b7cbce0c4458ba09ffdbf8c8dbd025bc8bf5baa999255e3
✔ Parsed image sha256:a6969cfac53d7d994eabab99ef8080b8495ae7ddd34731128718316797c2244b
✔ Cataloged packages [1 packages]
✘ Scan for vulnerabilities [4 vulnerability matches]
├── by severity: 0 critical, 0 high, 4 medium, 0 low, 0 negligible
└── by status: 0 fixed, 4 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
busybox 1.36.1 binary CVE-2023-42366 Medium
busybox 1.36.1 binary CVE-2023-42365 Medium
busybox 1.36.1 binary CVE-2023-42364 Medium
busybox 1.36.1 binary CVE-2023-42363 Medium
1 error occurred:
* discovered vulnerabilities at or above the severity threshold
However, if a .grype.yaml is created with the same CVEs listed in an ignore block, those CVEs are ignored. Create a .grype.yaml with the following:
ignore:
- vulnerability: CVE-2023-42366
- vulnerability: CVE-2023-42365
- vulnerability: CVE-2023-42364
- vulnerability: CVE-2023-42363
And then invoke Grype with --fail-on set:
➜ ~ grype busybox:1.36.1@sha256:b920f79ed6b477f64b7cbce0c4458ba09ffdbf8c8dbd025bc8bf5baa999255e3 --fail-on medium
✔ Vulnerability DB [no update available]
✔ Loaded image busybox:1.36.1@sha256:b920f79ed6b477f64b7cbce0c4458ba09ffdbf8c8dbd025bc8bf5baa999255e3
✔ Parsed image sha256:a6969cfac53d7d994eabab99ef8080b8495ae7ddd34731128718316797c2244b
✔ Cataloged packages [1 packages]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 4 medium, 0 low, 0 negligible
└── by status: 0 fixed, 4 not-fixed, 0 ignored
No vulnerabilities found
cc @puerco
Environment:
- Output of
grype version:
➜ ~ grype version
Application: grype
Version: 0.73.4
BuildDate: 2023-11-30T14:32:13Z
GitCommit: a4bced160291e81dbdeaa415d20e64b8741ee00d
GitDescription: v0.73.4
Platform: darwin/arm64
GoVersion: go1.21.4
Compiler: gc
Syft Version: v0.98.0
Supported DB Schema: 5
- OS (e.g:
cat /etc/os-releaseor similar):
MacOS Ventura 13.6.3