feat(vuln): ignore vulnerabilities by PURL (aquasecurity#6178)

Signed-off-by: knqyf263 <knqyf263@gmail.com>

docs/docs/configuration/filtering.md

@@ -335,12 +335,13 @@ For the `.trivyignore.yaml` file, you can set ignored IDs separately for `vulner
 
 Available fields:
 
-| Field      | Required | Type                | Description                                                                                                |
-|------------|:--------:|---------------------|------------------------------------------------------------------------------------------------------------|
-| id         |    ✓     | string              | The identifier of the vulnerability, misconfiguration, secret, or license[^1].                             |
-| paths[^2]  |          | string array        | The list of file paths to be ignored. If `paths` is not set, the ignore finding is applied to all files.   |
-| expired_at |          | date (`yyyy-mm-dd`) | The expiration date of the ignore finding. If `expired_at` is not set, the ignore finding is always valid. |
-| statement  |          | string              | The reason for ignoring the finding. (This field is not used for filtering.)                               |
+| Field      | Required | Type                | Description                                                                                                                                                             |
+|------------|:--------:|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| id         |    ✓     | string              | The identifier of the vulnerability, misconfiguration, secret, or license[^1].                                                                                          |
+| paths[^2]  |          | string array        | The list of file paths to ignore. If `paths` is not set, the ignore finding is applied to all files.                                                                    |
+| purls      |          | string array        | The list of PURLs to ignore packages. If `purls` is not set, the ignore finding is applied to all packages. This field is currently available only for vulnerabilities. |
+| expired_at |          | date (`yyyy-mm-dd`) | The expiration date of the ignore finding. If `expired_at` is not set, the ignore finding is always valid.                                                              |
+| statement  |          | string              | The reason for ignoring the finding. (This field is not used for filtering.)                                                                                            |
 
 ```bash
 $ cat .trivyignore.yaml
@@ -352,6 +353,8 @@ vulnerabilities:
   - id: CVE-2023-2650
   - id: CVE-2023-3446
   - id: CVE-2023-3817
+    purls:
+      - "pkg:deb/debian/libssl1.1"
   - id: CVE-2023-29491
     expired_at: 2023-09-01
 

pkg/result/filter.go

@@ -113,7 +113,7 @@ func filterVulnerabilities(result *types.Result, severities []string, ignoreStat
 		}
 
 		// Filter by ignore file
-		if f := ignoreConfig.MatchVulnerability(vuln.VulnerabilityID, result.Target, vuln.PkgPath); f != nil {
+		if f := ignoreConfig.MatchVulnerability(vuln.VulnerabilityID, result.Target, vuln.PkgPath, vuln.PkgIdentifier.PURL); f != nil {
 			result.ModifiedFindings = append(result.ModifiedFindings,
 				types.NewModifiedFinding(vuln, types.FindingStatusIgnored, f.Statement, ignoreConfig.FilePath))
 			continue
@@ -188,9 +188,9 @@ func filterSecrets(result *types.Result, severities []string, ignoreConfig Ignor
 
 func filterLicenses(result *types.Result, severities, ignoreLicenseNames []string, ignoreConfig IgnoreConfig) {
 	// Merge ignore license names into ignored findings
-	var ignoreLicenses IgnoreFindings
+	var ignoreLicenses IgnoreConfig
 	for _, licenseName := range ignoreLicenseNames {
-		ignoreLicenses = append(ignoreLicenses, IgnoreFinding{
+		ignoreLicenses.Licenses = append(ignoreLicenses.Licenses, IgnoreFinding{
 			ID: licenseName,
 		})
 	}
@@ -203,7 +203,7 @@ func filterLicenses(result *types.Result, severities, ignoreLicenseNames []strin
 		}
 
 		// Filter by `--ignored-licenses`
-		if f := ignoreLicenses.Match(l.Name, l.FilePath); f != nil {
+		if f := ignoreLicenses.MatchLicense(l.Name, l.FilePath); f != nil {
 			result.ModifiedFindings = append(result.ModifiedFindings,
 				types.NewModifiedFinding(l, types.FindingStatusIgnored, "", "--ignored-licenses"))
 			continue

pkg/result/filter_test.go

@@ -84,6 +84,31 @@ func TestFilter(t *testing.T) {
 			PkgName:          "foo",
 			InstalledVersion: "1.2.3",
 			FixedVersion:     "1.2.4",
+			PkgIdentifier: ftypes.PkgIdentifier{
+				PURL: &packageurl.PackageURL{
+					Type:      packageurl.TypeGolang,
+					Namespace: "github.com/aquasecurity",
+					Name:      "foo",
+					Version:   "1.2.3",
+				},
+			},
+			Vulnerability: dbTypes.Vulnerability{
+				Severity: dbTypes.SeverityLow.String(),
+			},
+		}
+		vuln7 = types.DetectedVulnerability{
+			VulnerabilityID:  "CVE-2019-0007",
+			PkgName:          "bar",
+			InstalledVersion: "2.3.4",
+			FixedVersion:     "2.3.5",
+			PkgIdentifier: ftypes.PkgIdentifier{
+				PURL: &packageurl.PackageURL{
+					Type:      packageurl.TypeGolang,
+					Namespace: "github.com/aquasecurity",
+					Name:      "bar",
+					Version:   "2.3.4",
+				},
+			},
 			Vulnerability: dbTypes.Vulnerability{
 				Severity: dbTypes.SeverityLow.String(),
 			},
@@ -117,7 +142,7 @@ func TestFilter(t *testing.T) {
 		}
 		secret1 = types.DetectedSecret{
 			RuleID:    "generic-wanted-rule",
-			Severity:  dbTypes.SeverityLow.String(),
+			Severity:  dbTypes.SeverityHigh.String(),
 			Title:     "Secret that should pass filter on rule id",
 			StartLine: 1,
 			EndLine:   2,
@@ -174,30 +199,16 @@ func TestFilter(t *testing.T) {
 					Results: []types.Result{
 						{
 							Vulnerabilities: []types.DetectedVulnerability{
-								vuln1,
+								vuln1, // filtered
 								vuln2,
 							},
 							Misconfigurations: []types.DetectedMisconfiguration{
 								misconf1,
-								misconf2,
+								misconf2, // filtered
 							},
 							Secrets: []types.DetectedSecret{
-								{
-									RuleID:    "generic-critical-rule",
-									Severity:  dbTypes.SeverityCritical.String(),
-									Title:     "Critical Secret should pass filter",
-									StartLine: 1,
-									EndLine:   2,
-									Match:     "*****",
-								},
-								{
-									RuleID:    "generic-low-rule",
-									Severity:  dbTypes.SeverityLow.String(),
-									Title:     "Low Secret should be ignored",
-									StartLine: 3,
-									EndLine:   4,
-									Match:     "*****",
-								},
+								secret1,
+								secret2, // filtered
 							},
 						},
 					},
@@ -222,14 +233,7 @@ func TestFilter(t *testing.T) {
 							misconf1,
 						},
 						Secrets: []types.DetectedSecret{
-							{
-								RuleID:    "generic-critical-rule",
-								Severity:  dbTypes.SeverityCritical.String(),
-								Title:     "Critical Secret should pass filter",
-								StartLine: 1,
-								EndLine:   2,
-								Match:     "*****",
-							},
+							secret1,
 						},
 					},
 				},
@@ -325,7 +329,7 @@ func TestFilter(t *testing.T) {
 							Target: "deployment.yaml",
 							Class:  types.ClassConfig,
 							Misconfigurations: []types.DetectedMisconfiguration{
-								misconf1, // filtered by severity
+								misconf1,
 								misconf2,
 								misconf3,
 							},
@@ -339,7 +343,10 @@ func TestFilter(t *testing.T) {
 						},
 					},
 				},
-				severities: []dbTypes.Severity{dbTypes.SeverityLow},
+				severities: []dbTypes.Severity{
+					dbTypes.SeverityLow,
+					dbTypes.SeverityHigh,
+				},
 				ignoreFile: "testdata/.trivyignore",
 			},
 			want: types.Report{
@@ -377,9 +384,12 @@ func TestFilter(t *testing.T) {
 						Class:  types.ClassConfig,
 						MisconfSummary: &types.MisconfSummary{
 							Successes:  1,
-							Failures:   0,
+							Failures:   1,
 							Exceptions: 1,
 						},
+						Misconfigurations: []types.DetectedMisconfiguration{
+							misconf1,
+						},
 						ModifiedFindings: []types.ModifiedFinding{
 							{
 								Type:    types.FindingTypeMisconfiguration,
@@ -420,12 +430,13 @@ func TestFilter(t *testing.T) {
 								vuln4,
 								vuln5, // ignored
 								vuln6,
+								vuln7, // filtered by PURL
 							},
 						},
 						{
 							Target: "app/Dockerfile",
 							Misconfigurations: []types.DetectedMisconfiguration{
-								misconf1, // filtered by severity
+								misconf1, // ignored
 								misconf2, // ignored
 								misconf3,
 							},
@@ -448,7 +459,10 @@ func TestFilter(t *testing.T) {
 					},
 				},
 				ignoreFile: "testdata/.trivyignore.yaml",
-				severities: []dbTypes.Severity{dbTypes.SeverityLow},
+				severities: []dbTypes.Severity{
+					dbTypes.SeverityLow,
+					dbTypes.SeverityHigh,
+				},
 			},
 			want: types.Report{
 				Results: types.Results{
@@ -477,19 +491,31 @@ func TestFilter(t *testing.T) {
 								Source:  "testdata/.trivyignore.yaml",
 								Finding: vuln5,
 							},
+							{
+								Type:    types.FindingTypeVulnerability,
+								Status:  types.FindingStatusIgnored,
+								Source:  "testdata/.trivyignore.yaml",
+								Finding: vuln7,
+							},
 						},
 					},
 					{
 						Target: "app/Dockerfile",
 						MisconfSummary: &types.MisconfSummary{
 							Successes:  0,
 							Failures:   1,
-							Exceptions: 1,
+							Exceptions: 2,
 						},
 						Misconfigurations: []types.DetectedMisconfiguration{
 							misconf3,
 						},
 						ModifiedFindings: []types.ModifiedFinding{
+							{
+								Type:    types.FindingTypeMisconfiguration,
+								Status:  types.FindingStatusIgnored,
+								Source:  "testdata/.trivyignore.yaml",
+								Finding: misconf1,
+							},
 							{
 								Type:    types.FindingTypeMisconfiguration,
 								Status:  types.FindingStatusIgnored,