grype is showing (suppressed) issues even though they aren't requested.

[josesa-xx]

What happened:

when I run grype with only the option "--only-fixed" the output generated includes "(suppressed)" issues even though I'm not using the option "--show-suppressed".

What you expected to happen:
Results with "(suppressed)" should only be shown if explicitly using the option "--show-suppressed"

How to reproduce it (as minimally and precisely as possible):

run grype --only-fixed httpd:2.4.54-alpine

Output I get

 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [36 packages]
 ✔ Scanned image           [5 vulnerabilities]
NAME        INSTALLED  FIXED-IN   TYPE  VULNERABILITY   SEVERITY
libcrypto3  3.0.7-r0   3.0.7-r2   apk   CVE-2022-3996   High
libcurl     7.86.0-r1  7.87.0-r0  apk   CVE-2022-43551  Unknown
libcurl     7.86.0-r1  7.87.0-r0  apk   CVE-2022-43552  Unknown
libldap     2.6.3-r6              apk   CVE-2015-3276   Medium (suppressed)   <<< Problem
libssl3     3.0.7-r0   3.0.7-r2   apk   CVE-2022-3996   High

Anything else we need to know?:

Environment:

$ grype version
Application:          grype
Version:              0.55.0
Syft Version:         v0.65.0
BuildDate:            2023-01-04T21:53:44Z
GitCommit:            c559833c7e02aed827773adb4f9677cb398577be
GitDescription:       v0.55.0
Platform:             linux/amd64
GoVersion:            go1.18.9
Compiler:             gc
Supported DB Schema:  5

[wagoodman]

Thanks for reporting! We've confirmed the behavior and will get a fix in soon for this.

[miquella]

I was looking through the v0.54.0..v0.55.0 diff and noticed this change: https://github.com/anchore/grype/compare/v0.54.0..v0.55.0#diff-e12805a26e8031bd6f10e235003454ad4ebd52a6af6c78c740df26193e41d28dL29-L33

The original code was:

	case tableFormat:
		if presenterConfig.showSuppressed {
			return table.NewPresenter(matches, packages, metadataProvider, ignoredMatches)
		}
		return table.NewPresenter(matches, packages, metadataProvider, nil)

While the updated code looks obviously wrong (since the condition branch is exactly the same):

	case tableFormat:
		if c.showSuppressed {
			return table.NewPresenter(pb)
		}
		return table.NewPresenter(pb)

Naively, it looks like a pb.IgnoredMatches = nil is missing in the non-suppressed branch.

[spiffcs]

@miquella let me see if I can add that check and get caught up on this issue -

[GaryAllan]

Hello,
--only-fixed has been broken since v0.55. The documentation says that the suppressed lines should only be shown with
--show-suppressed

$ docker run --rm anchore/grype:v0.54.0 phpipam/phpipam-www:latest --only-fixed  -q
No vulnerabilities found

$ docker run --rm anchore/grype:v0.55.0 phpipam/phpipam-www:latest --only-fixed  -q
NAME            INSTALLED   FIXED-IN  TYPE  VULNERABILITY   SEVERITY            
libldap         2.6.2-r0              apk   CVE-2015-3276   Medium (suppressed)  
mariadb-client  10.6.12-r0            apk   CVE-2022-47015  Medium (suppressed)  

[jamestran201]

👋 @tgerla @spiffcs I would like to take on this issue if it's still up for grabs. Just to clarify, is the default behaviour not to show suppressed vulnerabilities, and adding --show-suppressed will display those vulns tagged with (suppressed)?

[tgerla]

Hi @jamestran201, please do! It's all yours. I believe you are correct, the desired behavior is to not show suppressed vulnerabilities unless the flag is passed, but at the moment the behavior is not correct. Please feel free to stop by our Slack (https://get.anchore.com/join-anchore-community/) and we can help out. Thanks!

[jamestran201]

@tgerla Thanks! I've opened a PR for this.