Closed wurstbrot closed 6 years ago
@wurstbrot Could you elaborate a bit? What is the use case?
This would be interesting, e.g. I just checked an image we build FROM golang:1.8
and it has 56 high risk vulns, many of which do not affect us. For example, this particular image will never be running a Mercurial server:
CVE-2017-9462: [High]
Found in: mercurial
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.
https://security-tracker.debian.org/tracker/CVE-2017-9462
Here's an example from clair-scanner
: https://github.com/arminc/clair-scanner#example-whitelist-yaml-file
IMO it would be very helpful if we could fail the build only on fixable/patch released packages.
quay.io shows that information and I was wondering if clair also provide this info, if yes I think it should be exposed to a client:
+1 to having a way, perhaps via a whitelist YAML file or something, to allow a build to pass if a certain CVE is detected where the risk is accepted for now.
+1 for a whitelist feature. We have CLAIR_THRESHOLD and CLAIR_OUTPUT but these do not provide the granularity that a whitelist would. See the clair-scanner project for an example implementation.
Whitelisting has been implemented in https://github.com/optiopay/klar/pull/98, please try the latest release
As a vulnerability manager I would like to filter out risks from the output which I accepted. Is there a way in klar now or planned in the near by future? As I am not good in golang, I will create a simple bash script to filter out CVEs in case there is now way.