Grype returns indirect vulnerability matches on 'kernel' source rpms for the 'kernel-headers' rpm for container images that don't have the kernel about grype HOT 5 CLOSED

If possible, I'd prefer to filter to ignored matches rather than opaquely dropping, since the matches are valid based on the data. The issue is the semantics of those specific packages and their known relationships.

from grype.

I've started working on something here to add a new built-in set of ignore rules that would apply by default but able to be skipped via a config option.

from grype.

I've looked into the debian-based case and it looks like the kernel headers packages are less stably-named there so I'll focus my efforts initially on RPM/redhat-based solution and then we can discuss things like if we want to support ignore rules that do a package-name wildcard match (e.g. "linux-headers-*" since debian uses "linux-headers-amd64" and "linux-headers-arm64") so the issue manifests a little bit differently in those distros.

from grype.

Summarizing some offline conversations... a path forward here could be to:

• For RHEL environments only: drop or filter matches that are against kernel-headers and are an indirect match.
• For Debian environments only: drop or filter matches that are against linux-headers and are an indirect match.

The distinction between dropping and filtering (showing up in the ignored matches section) should be considered carefully.

from grype.

note: this still needs an update for the non-rpm cases.

from grype.