feat(grype/matcher): use unaffected match table to remove appropriate vulns #2886

CrosleyZack · 2025-08-21T17:47:49Z

Removes vulnerabilities from output based on entries in the unaffected tables for the specific package-version. This allows for vulnerabilities identified in a scan target to be removed if remedied by some mechanism, such as a vendor specific package.

In the example below, you can see this operation on a chainguard version of aiohttp which has vulnerability GHSA-5h86-8mv2-jq9f in version 3.9.1 but is fixed in the chainguard built 3.9.1+cgr.1

Example:

➜ GRYPE_DB_AUTO_UPDATE="false" go run cmd/grype/main.go ../aiohttp
 ✔ Indexed file system                                                                                                                                       ../aiohttp
 ✔ Cataloged contents                                                                                  596d41bfa3b99862cbd633642d86a058940190a7f9d4733b759e8702a03f815d
   ├── ✔ Packages                        [10 packages]
   ├── ✔ Executables                     [8 executables]
   ├── ✔ File metadata                   [26 locations]
   └── ✔ File digests                    [26 files]
 ✔ Scanned for vulnerabilities     [6 vulnerability matches]
   ├── by severity: 0 critical, 2 high, 3 medium, 1 low, 0 negligible
   └── by status:   6 fixed, 0 not-fixed, 0 ignored [0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (whi
NAME     INSTALLED  FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS  RISK
aiohttp  3.9.1      3.9.2     python  GHSA-5h86-8mv2-jq9f  High      N/A   N/A
aiohttp  3.9.1      3.9.4     python  GHSA-5m98-qgg9-wh84  High      N/A   N/A
aiohttp  3.9.1      3.9.4     python  GHSA-7gpw-8wmc-pm8g  Medium    N/A   N/A
aiohttp  3.9.1      3.10.11   python  GHSA-8495-4g3g-x7pr  Medium    N/A   N/A
aiohttp  3.9.1      3.9.2     python  GHSA-8qpw-xqxj-h4r2  Medium    N/A   N/A
aiohttp  3.9.1      3.12.14   python  GHSA-9548-qrrj-x5pj  Low       N/A   N/A

➜ GRYPE_DB_AUTO_UPDATE="false" go run cmd/grype/main.go ../aiohttp+cgr1
 ✔ Indexed file system                                                                                                                                  ../aiohttp+cgr1
 ✔ Cataloged contents                                                                                  c0671a3ff6ef54e92fe828891e0b10e2082fe31447d8fba15f0ed9bf2638f220
   ├── ✔ Packages                        [9 packages]
   ├── ✔ Executables                     [8 executables]
   ├── ✔ File metadata                   [25 locations]
   └── ✔ File digests                    [25 files]
 ✔ Scanned for vulnerabilities     [5 vulnerability matches]
   ├── by severity: 0 critical, 1 high, 3 medium, 1 low, 0 negligible
   └── by status:   5 fixed, 0 not-fixed, 0 ignored [0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (whi
NAME     INSTALLED    FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS  RISK
aiohttp  3.9.1+cgr.1  3.9.4     python  GHSA-5m98-qgg9-wh84  High      N/A   N/A
aiohttp  3.9.1+cgr.1  3.9.4     python  GHSA-7gpw-8wmc-pm8g  Medium    N/A   N/A
aiohttp  3.9.1+cgr.1  3.10.11   python  GHSA-8495-4g3g-x7pr  Medium    N/A   N/A
aiohttp  3.9.1+cgr.1  3.9.2     python  GHSA-8qpw-xqxj-h4r2  Medium    N/A   N/A
aiohttp  3.9.1+cgr.1  3.12.14   python  GHSA-9548-qrrj-x5pj  Low       N/A   N/A

grype/matcher/internal/language.go

grype/matcher/internal/language_test.go

grype/matcher/internal/language.go

Signed-off-by: crosleyzack <[email protected]>

Signed-off-by: Alex Goodman <[email protected]>

Signed-off-by: crosleyzack <[email protected]>

Signed-off-by: Alex Goodman <[email protected]>

CrosleyZack force-pushed the crosley/add-ignores-from-vex branch 2 times, most recently from 6f5f5d6 to 7ec88fd Compare August 21, 2025 20:27

CrosleyZack commented Aug 21, 2025

View reviewed changes