Add a reason field to ignore config

[gutschet]

Hello!

What would you like to be added:

In the yaml config to ignore certain vulnerabilities, it would be nice if we could also add the reason, why we ignore the vulnerabilities. This information would really help us create automated security reports about our images. Here an easy example (only shows the requested feature, the example rule itself does not make sense):

.grype.yaml:

ignore:
  - vulnerability: CVE-2010-0733
    reason: This vulnerability is not relevant in our application, because the vulnerability is only a problem under certain circumstances, that are not present in our application.

Then in our output template, we would love to be able to use this reason:
myTemplate.tmpl:

<p>
    The following vulnerabilities are considered irrelevant:
    <ul>
        {{- range .IgnoredMatches}}
        <li>{{.Vulnerability.ID}} ({{.AppliedIgnoreRules.Reason}})</li>
        {{- end}}
    </ul>
</p>

The output should then look like this:

The following vulnerabilities are considered irrelevant:

-     CVE-2010-0733 (This vulnerability is not relevant in our application, because the vulnerability is only a problem under certain circumstances, that are not present in our application.)

Why is this needed:

Documenting the reason for an ignore rule would help understanding third parties, why we decided to ignore some vulnerabilities. Therefor it would be really helpful for us to be able to use the reason field in an output template, so we can generate the reasons into our security reports.

Kind regards
Timo

[gh-greg]

(1) Excellent suggestion, @gutschet
(2) Proposed: Create a new Epic.
Perhaps name the Epic, "Improvements_to_Waivers"

Then, Add/Link these 3 tickets below, to the new Epic:

• Expiry date for ignore rules #452
• Add a reason field to ignore config #1337
• Time-limited whitelist #1148

[gutschet]

@gh-greg , thanks a lot! Hope I did it right!

[shanduur]

@kzantow Can you assign me to this issue? I would like to work on it.