Filter out accepted findings about klar HOT 6 CLOSED

Whitelisting has been implemented in #98, please try the latest release

from klar.

@wurstbrot Could you elaborate a bit? What is the use case?

from klar.

This would be interesting, e.g. I just checked an image we build FROM golang:1.8 and it has 56 high risk vulns, many of which do not affect us. For example, this particular image will never be running a Mercurial server:

CVE-2017-9462: [High]
Found in: mercurial
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.
https://security-tracker.debian.org/tracker/CVE-2017-9462

Here's an example from clair-scanner: https://github.com/arminc/clair-scanner#example-whitelist-yaml-file

from klar.

IMO it would be very helpful if we could fail the build only on fixable/patch released packages.

quay.io shows that information and I was wondering if clair also provide this info, if yes I think it should be exposed to a client:

from klar.

+1 to having a way, perhaps via a whitelist YAML file or something, to allow a build to pass if a certain CVE is detected where the risk is accepted for now.

from klar.

+1 for a whitelist feature. We have CLAIR_THRESHOLD and CLAIR_OUTPUT but these do not provide the granularity that a whitelist would. See the clair-scanner project for an example implementation.

from klar.