Allow Pass/Fail Customization

[maitrayshah-cb]

Currently Salus only allows pass/fail based on if vulnerabilities are found or are not found. We want to expand this by allowing for more customization, mainly the following -

• By ID: We want scan to fail only for certain vulnerability IDs. For example: A scan should only fail if CVE-123 is found but will pass if CVE-XYZ is found.
• By Severity: We want scan to fail for a particular severity. For example: A scan should only fail if critical vulnerabilities are found but pass if low / medium vulnerabilities are found.

Scanner Config by ID

scanner_configs:
  BundleAudit:
    exceptions:
      - advisory_id: CVE-2020-26945
        changed_by: security-team
        notes: Currently no patch exists and determined that this vulnerability is not exploitable.
        expiration: "2022-12-31"
    rule:
      type: id
      matches:
        - key: CVE-123
        - key: CVE-XYZ

Scanner Config by Severity

scanner_configs:
  GoOSV:
    exceptions:
      - advisory_id: CVE-2020-26945
        changed_by: security-team
        notes: Currently no patch exists and determined that this vulnerability is not exploitable.
        expiration: "2022-12-31"
    rule:
      type: severity
      matches:
        - key: critical
        - key: high