-
Notifications
You must be signed in to change notification settings - Fork 529
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specifying "extras" in pip / requirements.txt results in false negative #1246
Labels
Comments
Thanks for the report @tlbjr, this looks like a fairly easy fix -- PRs are always welcome! |
shanedell
added a commit
to shanedell/grype
that referenced
this issue
Apr 21, 2023
- Allow pip packages to specify extras. - Syntax: package_name[extra1, extra2] - Using regex the extras will be removed from the package name. Closes anchore#1246 Signed-off-by: Shane Dell <shanedell100@gmail.com>
Closed
shanedell
added a commit
to shanedell/syft
that referenced
this issue
Apr 25, 2023
- Update pip requirements.txt parsing to remove pip extras from package name if included. Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell
added a commit
to shanedell/syft
that referenced
this issue
Apr 26, 2023
- Update pip requirements.txt parsing to remove pip extras from package name if included. - Add unit test to test that extras are removed from package name. Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell
added a commit
to shanedell/syft
that referenced
this issue
Apr 26, 2023
- Create new metadata struct and type for python requirements. - Update parsing of python requirements to use python requirements metadata. - Remove pip extras from package name, add them to metadata instead. - Add unit test to test that extras are removed from package name. - Will need updated in future to support more than just == for the version constraint. Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell
added a commit
to shanedell/syft
that referenced
this issue
Apr 26, 2023
- Create new metadata struct and type for python requirements. - Update parsing of python requirements to use python requirements metadata. - Remove pip extras from package name, add them to metadata instead. - Add unit test to test that extras are removed from package name. - Will need updated in future to support more than just == for the version constraint. Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell
added a commit
to shanedell/syft
that referenced
this issue
Apr 26, 2023
- Create new metadata struct and type for python requirements. - Update parsing of python requirements to use python requirements metadata. - Remove pip extras from package name, add them to metadata instead. - Add unit test to test that extras are removed from package name. - Will need updated in future to support more than just == for the version constraint. Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell
added a commit
to shanedell/syft
that referenced
this issue
Apr 26, 2023
- Create new metadata struct and type for python requirements. - Update parsing of python requirements to use python requirements metadata. - Remove pip extras from package name, add them to metadata instead. - Add unit test to test that extras are removed from package name. - Will need updated in future to support more than just == for the version constraint. Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell
added a commit
to shanedell/syft
that referenced
this issue
Apr 26, 2023
- Create new metadata struct and type for python requirements. - Update parsing of python requirements to use python requirements metadata. - Remove pip extras from package name, add them to metadata instead. - Add unit test to test that extras are removed from package name. - Will need updated in future to support more than just == for the version constraint. - Update JSON schema data Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell
added a commit
to shanedell/syft
that referenced
this issue
Apr 26, 2023
- Create new metadata struct and type for python requirements. - Update parsing of python requirements to use python requirements metadata. - Remove pip extras from package name, add them to metadata instead. - Add unit test to test that extras are removed from package name. - Will need updated in future to support more than just == for the version constraint. - Update JSON schema data Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell
added a commit
to shanedell/syft
that referenced
this issue
Apr 26, 2023
- Create new metadata struct and type for python requirements. - Update parsing of python requirements to use python requirements metadata. - Remove extras and url from line. Add them to metadata instead. - Add unit test to test that extras are removed from package name. - Update test to look at requirements metadata. - Will need updated in future to support more than just == for the version constraint. - Update JSON schema data Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>
shanedell
added a commit
to shanedell/syft
that referenced
this issue
Apr 26, 2023
- Create new metadata struct and type for python requirements. - Update parsing of python requirements to use python requirements metadata. - Remove extras and url from line. Add them to metadata instead. - Add unit test to test that extras are removed from package name. - Update test to look at requirements metadata. - Will need updated in future to support more than just == for the version constraint. - Update JSON schema data Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>
wagoodman
pushed a commit
to anchore/syft
that referenced
this issue
Apr 27, 2023
- Create new metadata struct and type for python requirements. - Update parsing of python requirements to use python requirements metadata. - Remove extras and url from line. Add them to metadata instead. - Add unit test to test that extras are removed from package name. - Update test to look at requirements metadata. - Will need updated in future to support more than just == for the version constraint. - Update JSON schema data Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>
GijsCalis
pushed a commit
to GijsCalis/syft
that referenced
this issue
Feb 19, 2024
- Create new metadata struct and type for python requirements. - Update parsing of python requirements to use python requirements metadata. - Remove extras and url from line. Add them to metadata instead. - Add unit test to test that extras are removed from package name. - Update test to look at requirements metadata. - Will need updated in future to support more than just == for the version constraint. - Update JSON schema data Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Python's (pip) celery 4.4.7 has a high vuln. This was identified with MS' Defender for Cloud, but it wasn't found with grype because we have "extras" specified as acceptable to pip / requirements.txt.
What you expected to happen:
Strip all extras and compare the base package and version to the list of known vulns.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
grype version
:cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: