fix: bump grype to 0.111.1 and fix checksum verification in container scan#183
Merged
Conversation
… scan grype 0.111.0 does not exist as a GitHub release, causing a 404 in the install step. Also fix sha256sum verification: save the archive under its release filename so the checksum entry matches and sha256sum --check can verify the file. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…CVE jobs grype SARIF output for sbom: inputs omits artifactLocation, causing GitHub code scanning upload to fail with "expected artifact location". Replace the broken upload-sarif step on the Gradle job with grype table+json artifacts so findings are always accessible without downloading the SBOM. Add the same artifact upload to the npm job as a fallback alongside the existing SARIF upload (path-based scans produce valid SARIF). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
scan-action does not add grype to PATH for subsequent steps, so table reports are generated by locating the binary in the tool cache. Each job now uploads both a table report and the JSON from scan-action's output. Drops the broken SARIF upload from the Gradle job (grype SARIF for sbom: inputs omits artifactLocation, failing GitHub code scanning upload). Keeps SARIF upload on the npm job where path-based scans produce valid output. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Resolves high severity CVEs: - GHSA-v468-qcjx-r72w (httpclient5) - GHSA-4wrg-8wpc-h923, GHSA-4vrc-j85c-598c (spring-security-config) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GRYPE_VERSIONfrom0.111.0to0.111.1—0.111.0does not exist as a GitHub release, causing a 404 in theanchore/scan-actioninstall step and the manual install in the container scan jobsha256sumverification in the container scan manual install: archive is now saved under its release filename so the checksum entry matches andsha256sum --checkcan verify it (old approach saved to/tmp/grype.tar.gz→ "no file was verified", exit 1)sbom:inputs omitsartifactLocation, causing GitHub code scanning to fail withlocationFromSarifResult: expected artifact locationgrype-npm-scan,grype-gradle-scan) so findings are immediately accessible without downloading the raw SBOM. Usesscan-action'sjsonoutput and locates the grype binary in the tool cache for the table reportTest plan
grype-npm-scanartifact contains a non-empty table report and JSON on a failing rungrype-gradle-scanartifact contains a non-empty table report and JSON, and no SARIF upload errorScan imageandInstall grypesteps both pass andgrype-container-scanartifact is populated🤖 Generated with Claude Code