Vulnerability Whitelisting via API

[zach-griffin]

Hi! Its currently possible to exempt a CVE ID from the console, but those CVEs are still accounted for in the scoring of this script. Is it possible to modify it so we pull the CVE IDs that are exempted in the report and then add this block to get_alerts_vuln():

if cve in exemptedCVEs: critical_score = 0 high_score = 0 medium_score = 0 low_score = 0

This would let us manage whitelisted vulnerabilities or those that we accept risk for from the console while not impacting CI/CD workflows. The score for any whitelisted CVE would be set to 0 and not be a cause for deployment failure.

[ffalor]

I can see the value in this @redhatrises @isimluk if you agree I don't mind doing the work to add this ability

[isimluk]

@ffalor. I agree. This would be super valuable to add.

[snazy2000]

Just wondered if there was any eta on this being implemented?

I had a look at the report and it doesn't currently look like the exempted CVEs are being shown in the API response which is a shame as I was going to implement the code to skip them but cant do that without the response in API.

[ffalor]

@snazy2000 that seems the case. There isn't currently an API that returns the list of exclusions.

Originally, I thought this issue was referring to a local list of exclusions that can be passed in vis the CLI or some dot file.

That may be the only possible solution until an endpoint is provided that gives the list of excluded CVE's.

[YvesEarnix]

@ffalor I create a PR to allow to exclude CVE's from a local file
#109