Add CS_IGNORE_STATUSES setting, implement for Trivy and Grype

What does this MR do?

This MR adds a new setting / environment variable: CS_IGNORE_STATUSES.

This setting is a comma delimited list which filters the returned findings from the scanners. Findings where the software vendor (e.g. Red Hat or Debian) have indicated a vulnerability will not be fixed will not be reported when CS_IGNORE_STATUSES is set to will_not_fix, for example.

CS_IGNORE_STATUSES will use a comma delimited list to filter out vulnerabilities matching any status supplied in the list (e.g. which have been marked as "Will not fix" by the vendor). This is desirable because fixes (especially for newer vulnerabilities) often require analysis time to determine impact & whether or not a fix will be issued, as well as things like severity adjustments. Additionally, sometimes vulnerabilities have been assessed as impactful but have simply not had a fix released yet. In these cases, it can be useful to report these findings so developers & security teams can start their own assessment and make plans to mitigate findings in their projects. But it is still desirable to filter out findings for vulnerabilities which have been assessed by the vendor, where a fix will never be released (for example), as the vulnerability is not impactful or exploitable as packaged. In this case, there is no action for developers or security teams and it is helpful to be able to filter only these findings which will not be fixed out of the generated report.

trivy and grype both support ignoring vulnerability states/statuses:

• trivy allows filtering using the --ignore-status flag (filterable statuses: unknown, not_affected, affected, fixed, under_investigation, will_not_fix, fix_deferred, end_of_life (see docs for more info).

  Support for --ignore-status was added in v0.44.0 in this MR.

• grype allows filtering using the --ignore-states flag (filterable states: fixed, not-fixed, wont-fix, unknown (see docs for more info).

  Support for --ignore-states was added in v0.72.0 in this MR.

This MR adds support for filtering vulnerabilities using the CS_IGNORE_STATUSES variable for both trivy and grype.

The default for this setting is "", meaning no findings will be filtered out of reports by default. This is to make this change not impact the current behaviour of scanners.

Update to setup.sh

grype v0.68.0 introduced a change which causes grype db check to terminate with an exit code of 100 if the db is out of date: https://github.com/anchore/grype/releases/tag/v0.68.0

Because the script executes with a set -e the change breaks the grype setup steps requiring the use of a guard condition.

Dependencies

Branch update-trivy-to-0.44.1-2023-08-11 would need to be merged and released alongside this to update Trivy to a compatible version, so that --ignore-status would be available. As well as updating Grype to v0.72.0 which doesn't seem to have been picked up by automation MR creation yet.

Testing

The following testing was done to verify that the new env var is working as expected: !2918 (comment 1640123135)

What are the relevant issue numbers?

• gitlab-org/gitlab#423954 (closed)

Does this MR meet the acceptance criteria?

• Changelog trailer added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer