Return results based on severity

[cdhaydensmith]

What would you like to be added:
When conducting vulnerability scan with grype, I would like to filter on severity so grype only returns results that meet a certain criticality threshold. e.g. give me all of my high vulns
Why is this needed:
--severity flag in grype that returns cve's based on severity
Additional context:

[joshbressers]

I'm not sure we want to add this functionality as there are many ways to filter output. It's probably better suited to the templating feature. Would you consider using a template an acceptable way to accomplish this?

For example if I create this template

"NAME","VERSION","ID","SEVERITY"
{{- range .Matches}}
{{- if eq .Vulnerability.Severity "High"}}
"{{.Artifact.Name}}","{{.Artifact.Version}}","{{.Vulnerability.ID}}","{{.Vulnerability.Severity}}"
{{- end }}
{{- end}}

It will only print High findings in CSV format

bress@anchore ➜  grype grype debian:latest -o template -t high.tmpl
 ✔ Vulnerability DB        [no update available]
New version of grype is available: 0.48.0 (currently running: 0.46.0)
 ✔ Parsed image
 ✔ Cataloged packages      [96 packages]
 ✔ Scanned image           [80 vulnerabilities]

"NAME","VERSION","ID","SEVERITY"
"perl-base","5.32.1-4+deb11u2","CVE-2020-16156","High"
"libgcrypt20","1.8.7-6","CVE-2021-33560","High"
"e2fsprogs","1.46.2-2","CVE-2022-1304","High"
"libcom-err2","1.46.2-2","CVE-2022-1304","High"
"libext2fs2","1.46.2-2","CVE-2022-1304","High"
"libss2","1.46.2-2","CVE-2022-1304","High"
"logsave","1.46.2-2","CVE-2022-1304","High"
"libssl1.1","1.1.1n-0+deb11u3","CVE-2022-2097","High"
"libtinfo6","6.2+20201114-2","CVE-2022-29458","High"
"ncurses-base","6.2+20201114-2","CVE-2022-29458","High"
"ncurses-bin","6.2+20201114-2","CVE-2022-29458","High"

[freedom-isnotanarchy]

(1) Thank you.
(2) I really wish there was a better/moreDeveloped example(s) of Templating, in the file Read.md
(3) I'm not sure how to:
{{- if eq .Vulnerability.Severity "Critical" || if eq .Vulnerability.Severity "High" }}

[joshbressers]

This is what you're looking for

"NAME","VERSION","ID","SEVERITY"
{{- range .Matches}}
{{- if or (eq .Vulnerability.Severity "High") (eq .Vulnerability.Severity "Critical")}}
"{{.Artifact.Name}}","{{.Artifact.Version}}","{{.Vulnerability.ID}}","{{.Vulnerability.Severity}}"
{{- end }}
{{- end}}

I'm going to consider this an issue to document this in the README now. It could also be valuable to create a directory of example templates for the various possible outputs.

[georg-ikegps]

It would be great if there could be an example of how to format the filtered output like the original.

Like that little table it currently prints.

[chenbh]

Would it be possible to add this as a severity field to the ignore rules? I also would like to keep the output format in the current table form, but dynamically padding spaces in go templates is a huge pain.

[wagoodman]

We could add a --severity flag, or we could do something more generic and extensible such as:

grype --filter <criteria>
grype --filter 'severity=high'
grype --filter 'severity>=high'

This would allow for more flexibility for the severity options, but also for future filter conditions as well.

grype --filter 'severity>=high' --filter ...

[spiffcs]

Were talking about this in discourse!

Come add your thoughts here:
https://anchorecommunity.discourse.group/t/how-can-we-make-grypes-output-more-focused/57