Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update supported PURL types for Snyk and bump default API version #552

Merged
merged 2 commits into from
May 15, 2023
Merged

Update supported PURL types for Snyk and bump default API version #552

merged 2 commits into from
May 15, 2023

Conversation

nscuro
Copy link
Member

@nscuro nscuro commented May 14, 2023

No description provided.

@nscuro
Add new supported PURL types for Snyk
d3e21e6 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Bump default Snyk API version to 2023-04-21
081b8d0 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro added enhancement New feature or request domain/vuln-analysis labels May 14, 2023
@sonarcloud
Copy link

sonarcloud bot commented May 14, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@sahibamittal sahibamittal merged commit 2e28fd2 into main May 15, 2023
12 checks passed
@sahibamittal sahibamittal deleted the update-snyk-purl-types branch May 15, 2023 08:19
nscuro added a commit that referenced this pull request May 22, 2023
@nscuro
Temporarily disable Linux package types for Snyk
eba01d2 
There are discrepancies between what SBOM generators report as PURL namespace and `distro` qualifier, and what Snyk expects.

For example, trivy uses `redhat` for both, whereas Snyk expects `rhel`. The latter is also used by Syft.

Problem is that batch requests to Snyk will fail entirely when at least one PURL in the batch does not comply with Snyk's preferred identifiers. There is no indication in the response as to which PURL caused the failure, so we can't filter them out and re-try the batch.

Disabling Linux package types for now to not impact analysis of other package types.

Reverts some changed made in #552

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro mentioned this pull request May 22, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sahibamittal sahibamittal sahibamittal approved these changes

Assignees
No one assigned
Labels
domain/vuln-analysis enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nscuro @sahibamittal