You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What would you like to be added:
Ability to exclude items from the reports -- quite possibly ported and/or moved from the Grype excludes.
Why is this needed:
Some projects include only a small portion of a library that may be reported as vulnerable. It is not accurate to report these as "included".
We should figure out a way to disambiguate "exclude" as a coined term within Syft and Grype. We're also using "exclude" to refer to a slightly different functionality from Grype's ignore rules, referring instead to omitting certain file paths from Syft/Grype's scan in the first place. See #221
What would you like to be added:
Ability to exclude items from the reports -- quite possibly ported and/or moved from the Grype excludes.
Why is this needed:
Some projects include only a small portion of a library that may be reported as vulnerable. It is not accurate to report these as "included".
Additional context:
Talking with the containerd folks, there are some packages which could result in false positive vulnerability scans, or even somewhat falsely reported as included because they are only using one package out of many, it would be very useful to prescriptively exclude certain results: https://cloud-native.slack.com/archives/CGEQHPYF4/p1634051863179900?thread_ts=1633986885.169500&cid=CGEQHPYF4
The text was updated successfully, but these errors were encountered: