fix: preserve VEX justification in applied ignore rules

grype/vex/csaf/implementation.go

@@ -203,20 +203,20 @@ func matchingRule(ignoreRules []match.IgnoreRule, m match.Match, advMatch *advis
 		// any status with any vulnerability. Alternatively, if the vulnerability
 		// is set, the rule applies if it is the same in the advisory match and the rule.
 		if rule.Vulnerability == "" || advMatch.cve() == rule.Vulnerability {
-			return &rule
-		}
-
-		// If the rule applies to a VEX justification it needs to match the
-		// advisory match statement, note that justifications only apply to not_affected:
-		if matchesVexStatus(advMatch.Status, vexStatus.NotAffected) && rule.VexJustification != "" &&
-			rule.VexJustification != advMatch.statement() {
-			continue
-		}
-
-		if advMatch.cve() == rule.Vulnerability {
+			// If the rule applies to a VEX justification it needs to match the
+			// advisory match statement, note that justifications only apply to not_affected:
+			if matchesVexStatus(advMatch.Status, vexStatus.NotAffected) && rule.VexJustification != "" &&
+				rule.VexJustification != advMatch.statement() {
+				continue
+			}
+			// Preserve the VEX justification from the advisory when the
+			// rule did not specify one (e.g. status-only ignore rules).
+			if rule.VexJustification == "" {
+				rule.VexJustification = advMatch.statement()
+			}
 			return &rule
 		}
 	}
 
 	return nil
-}
+}

grype/vex/openvex/implementation.go

@@ -300,12 +300,20 @@ func matchingRule(ignoreRules []match.IgnoreRule, m match.Match, statement *open
 		// If the vulnerability is blank in the rule it means we will honor
 		// any status with any vulnerability.
 		if rule.Vulnerability == "" {
+			// Preserve the VEX justification from the statement when the
+			// rule did not specify one (e.g. status-only ignore rules).
+			if rule.VexJustification == "" {
+				rule.VexJustification = string(statement.Justification)
+			}
 			return &rule
 		}
 
 		// If the vulnerability is set, the rule applies if it is the same
 		// in the statement and the rule.
 		if statement.Vulnerability.Matches(rule.Vulnerability) {
+			if rule.VexJustification == "" {
+				rule.VexJustification = string(statement.Justification)
+			}
 			return &rule
 		}
 	}
@@ -364,4 +372,4 @@ func (ovm *Processor) AugmentMatches(
 	}
 
 	return remainingMatches, additionalIgnoredMatches, nil
-}
+}

grype/vex/processor_test.go

@@ -134,8 +134,9 @@ func TestProcessor_ApplyVEX(t *testing.T) {
 			wantIgnoredMatches: []match.IgnoredMatch{{
 				Match: libCryptoCVE_2023_1255,
 				AppliedIgnoreRules: []match.IgnoreRule{{
-					Namespace: "vex",
-					VexStatus: string(status.Fixed),
+					Namespace:        "vex",
+					VexJustification: "Class with vulnerable code was removed before shipping.",
+					VexStatus:        string(status.Fixed),
 				}},
 			}},
 		},
@@ -158,9 +159,10 @@ func TestProcessor_ApplyVEX(t *testing.T) {
 			wantIgnoredMatches: []match.IgnoredMatch{{
 				Match: libCryptoCVE_2023_1255,
 				AppliedIgnoreRules: []match.IgnoreRule{{
-					Namespace:     "vex",
-					Vulnerability: "CVE-2023-1255",
-					VexStatus:     string(status.Fixed),
+					Namespace:        "vex",
+					Vulnerability:    "CVE-2023-1255",
+					VexJustification: "Class with vulnerable code was removed before shipping.",
+					VexStatus:        string(status.Fixed),
 				}},
 			}},
 		},
@@ -358,4 +360,4 @@ func TestProcessor_ApplyVEX(t *testing.T) {
 
 		})
 	}
-}
+}