Show all vulnerabilities, even suppressed

[tafli]

What would you like to be added:
We're using Grype together with Syft in our CI Pipeline to scan built images. We also using a suppression file to mitigate problem.

However I haven't found a way to show all unfiltered vulnerabilities of a scan. So I like to see even the suppressed vulnerabilities in the output list. Maybe a (suppressed) should be added after the name.

Why is this needed:
When using Grype in our CI-Pipeline with suppression, we don't see what is suppressed, without looking at the suppression file.

[freedom-isnotanarchy]

(1) Good enhancement. Our company, could use this too.
(2) I wonder if this (below), would be preferable ?
The "FIXED-IN" filed value, has "-(suppressed)" , appended

NAME                            INSTALLED            FIXED-IN   TYPE          VULNERABILITY   SEVERITY
geronimo-activation_1.1_spec    1.1-(suppressed)     -          java-archive  CVE-2011-5034   High
geronimo-activation_1.1_spec    1.1-(suppressed)     2.0        java-archive  CVE-2008-0732   Low
geronimo-javamail_1.4_mail      1.8.4-(suppressed)   _          java-archive  CVE-2011-5034   High
geronimo-javamail_1.4_mail      1.8.4-(suppressed)   _          java-archive  CVE-2008-0732   Low

[kzantow]

This sounds like a great addition! We would like the default behavior to remain the same but we absolutely accept PRs for things like this!

[vimalpatel19]

Hi grype maintainers! I would like to contribute and assist with this.

[kzantow]

@vimalpatel19 that would be great! I'd suggest maybe we think about adding (suppressed) to the SEVERITY column as opposed to installed or fixed-in.

[vimalpatel19]

@kzantow Got it! Before I begin working on this, I just wanted to confirm the context for this:

Instead of not adding the filtered out vulnerabilities to the output list, we will instead include them and append -(suppressed) to the value in the SEVERITY column for those filtered out vulnerabilities when the user passes in a new command line flag such as -a or --all, or something along those lines. Does that sound right?

[kzantow]

@vimalpatel19 yeah, something like that... maybe the flag could be --show-suppressed or --include-suppressed?

[freedom-isnotanarchy]

Regarding "--include-suppressed " : I see a certain symmetry below, with what Grype has today.
However, you 2 would know better.
Can you Imagine, any future "--show-SOMETHING" , enhancement possibilities in the future ?
@vimalpatel19 , @kzantow

--include-suppressed    "Instead of not adding the filtered out vulnerabilities to the output list, we will instead include them "
--exclude               stringArray     exclude paths from being scanned using a glob expression
--only-fixed            ignore matches for vulnerabilities that are not fixed
--only-notfixed         ignore matches for vulnerabilities that are fixed

[vimalpatel19]

@freedom-isnotanarchy makes sense. I was leaning towards --include-suppressed already before reading your comment!

[vimalpatel19]

@kzantow do you think we need to implement this flag for just the table output format? Or should it also be implemented for the other output formats that don't already print the suppressed items?

[vimalpatel19]

@kzantow I have opened up the following pull request above with initial changes. Can you please review when you get a chance?

[kzantow]

Just to make sure this issue is updated with the same info as the PR: #966 (comment)

I think we should just update the table to include this 👍

[vimalpatel19]

Sounds good, I will proceed with just the table output format then!

[josesa-xx]

Seems like this is "always" the default but it shouldn't.
Issue #1053 opened