Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge config files hierarchically and add support for config profiles #2009

Closed
henrysachs opened this issue Jul 25, 2024 · 7 comments · Fixed by #2194
Closed

Merge config files hierarchically and add support for config profiles #2009

henrysachs opened this issue Jul 25, 2024 · 7 comments · Fixed by #2194
Labels
enhancement New feature or request

Comments

@henrysachs
Copy link

What would you like to be added:

When a Grype config is found in the repository and in the home directory I would like them to be merged

Why is this needed:

I would like to exclude findings on a "global" basis via the file in my home directory and the local ones via the file in the repository

Additional context:

I created a .grype.yaml and one in the .grype/config.yaml location and only the excludes of the first one were respected.

@henrysachs henrysachs added the enhancement New feature or request label Jul 25, 2024
@willmurphyscode
Copy link
Contributor

Hi @henrysachs it sounds like you'd only want to merge ignored vulnerabilities, is that correct? Or are there other parts of the config you'd expect to merge?

@henrysachs
Copy link
Author

@willmurphyscode for my Part merging ignores would be sufficient

@popey
Copy link
Contributor

popey commented Aug 1, 2024

Hey @henrysachs - we discussed this during the latest live stream (at the start).

A few options were discussed. One suggestion raised was VEX support in Grype - which already exists.

Have you considered using this existing functionality to ignore vulnerabilities you're not interested in getting notified about?

You can pass multiple VEX documents to Grype, so you can point to a number of separate documents which may exist in different folders in your hierarchy.

@henrysachs
Copy link
Author

henrysachs commented Aug 1, 2024

Hey @popey,

I can't watch the livestream currently (but nice one exists!). I know about vex and really like it, but unfortunately in my current context I don't know about the exact location of the vex documents because there is no standard about the path to a vex document. But as there is one for Grype I want my users to be able to set a grype config but have a global one too. That's why I would love a "real" merge and not just one for vulnerabilities. It would be even cooler if there was some kind of precedence like the config in the home directory is "winning" over the one in the repository. Hope I could explain myself a bit further and If pointed correctly I would be happy to help out.

PS: I would love to have the same for syft!

@popey
Copy link
Contributor

popey commented Aug 8, 2024

👋 We will discuss this topic at our next Open Source Gardening Live Stream later today. Anyone interested in the topic is welcome to join. All the details are in this thread 🎉

@kzantow
Copy link
Contributor

kzantow commented Aug 14, 2024

We discussed this (a couple times now) and there are still some outstanding questions about exactly what the behavior should be, but to tie some of the discussion together, I've implemented a PR here with one approach that would accomplish, I think, what @henrysachs is asking for (we discussed this on the live stream, and it sounded as though this approach would work): anchore/fangs#51

@kzantow
Copy link
Contributor

kzantow commented Oct 15, 2024

Hey @henrysachs -- if you happen to be itching to try this out, I would love to know that it works for you! #2194

@kzantow kzantow moved this to In Review in OSS Oct 17, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Oct 23, 2024
@willmurphyscode willmurphyscode changed the title Merge Configuration Files Merge config files hierarchically and add support for config profiles Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

5 participants