Filter out accepted findings

[wurstbrot]

As a vulnerability manager I would like to filter out risks from the output which I accepted. Is there a way in klar now or planned in the near by future? As I am not good in golang, I will create a simple bash script to filter out CVEs in case there is now way.

[hashmap]

@wurstbrot Could you elaborate a bit? What is the use case?

[elblivion]

This would be interesting, e.g. I just checked an image we build FROM golang:1.8 and it has 56 high risk vulns, many of which do not affect us. For example, this particular image will never be running a Mercurial server:

CVE-2017-9462: [High]
Found in: mercurial
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.
https://security-tracker.debian.org/tracker/CVE-2017-9462

Here's an example from clair-scanner: https://github.com/arminc/clair-scanner#example-whitelist-yaml-file

[pawelprazak]

IMO it would be very helpful if we could fail the build only on fixable/patch released packages.

quay.io shows that information and I was wondering if clair also provide this info, if yes I think it should be exposed to a client:

[jasonumiker]

+1 to having a way, perhaps via a whitelist YAML file or something, to allow a build to pass if a certain CVE is detected where the risk is accepted for now.

[owms]

+1 for a whitelist feature. We have CLAIR_THRESHOLD and CLAIR_OUTPUT but these do not provide the granularity that a whitelist would. See the clair-scanner project for an example implementation.

[hashmap]

Whitelisting has been implemented in https://github.com/optiopay/klar/pull/98, please try the latest release