fix: preserve VEX justification in applied ignore rules#3479
Open
toller892 wants to merge 1 commit into
Open
Conversation
When a VEX not_affected or fixed statement matches a status-only ignore rule (no vex-justification specified), the matched rule now inherits the justification from the VEX statement. Previously, the justification was dropped, causing the vex-justification field to be missing from the appliedIgnoreRules in JSON output. Both OpenVEX and CSAF matchingRule functions now enrich returned rules with the statement's justification when the rule's VexJustification is empty. The CSAF justification filter (previously unreachable after an early return) is now checked before enrichment. Fixes anchore#2828
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #2828
Problem
When a VEX
not_affectedorfixedstatement matches a status-only ignore rule (e.g.- vex-status: not_affectedwithout specifyingvex-justification), thevex-justificationfield is missing fromappliedIgnoreRulesin the JSON output.The root cause is in both
openvex/implementation.goandcsaf/implementation.gomatchingRulefunctions: when a user-provided rule matches, it's returned as-is without enriching theVexJustificationfield from the VEX statement.Additionally, in the CSAF implementation, the justification filter check (lines 209-214) was unreachable because the earlier return at line 206 exits before it.
Fix
Both OpenVEX and CSAF
matchingRulefunctions now:VexJustificationis emptyThis ensures status-only ignore rules correctly populate
vex-justificationfrom the matched VEX statement.Testing
go test ./grype/vex/... ./grype/presenter/models/ -count=1— all pass