Merge Configuration Files

[henrysachs]

What would you like to be added:

When a Grype config is found in the repository and in the home directory I would like them to be merged

Why is this needed:

I would like to exclude findings on a "global" basis via the file in my home directory and the local ones via the file in the repository

Additional context:

I created a .grype.yaml and one in the .grype/config.yaml location and only the excludes of the first one were respected.

[willmurphyscode]

Hi @henrysachs it sounds like you'd only want to merge ignored vulnerabilities, is that correct? Or are there other parts of the config you'd expect to merge?

[henrysachs]

@willmurphyscode for my Part merging ignores would be sufficient

[popey]

Hey @henrysachs - we discussed this during the latest live stream (at the start).

A few options were discussed. One suggestion raised was VEX support in Grype - which already exists.

Have you considered using this existing functionality to ignore vulnerabilities you're not interested in getting notified about?

You can pass multiple VEX documents to Grype, so you can point to a number of separate documents which may exist in different folders in your hierarchy.

[henrysachs]

Hey @popey,

I can't watch the livestream currently (but nice one exists!). I know about vex and really like it, but unfortunately in my current context I don't know about the exact location of the vex documents because there is no standard about the path to a vex document. But as there is one for Grype I want my users to be able to set a grype config but have a global one too. That's why I would love a "real" merge and not just one for vulnerabilities. It would be even cooler if there was some kind of precedence like the config in the home directory is "winning" over the one in the repository. Hope I could explain myself a bit further and If pointed correctly I would be happy to help out.

PS: I would love to have the same for syft!

[popey]

👋 We will discuss this topic at our next Open Source Gardening Live Stream later today. Anyone interested in the topic is welcome to join. All the details are in this thread 🎉

[kzantow]

We discussed this (a couple times now) and there are still some outstanding questions about exactly what the behavior should be, but to tie some of the discussion together, I've implemented a PR here with one approach that would accomplish, I think, what @henrysachs is asking for (we discussed this on the live stream, and it sounded as though this approach would work): anchore/fangs#51