You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Today we look at source RPMs on RPMs to find additional matches, for example, the RPM for perl-Errno has perl listed as the source RPM... so we will additionally search for perl package vulnerabilities when we run across the perl-Errno package during matching. However, this can be a source of false positives.
That being said some advisories include each package that was potentially affected and rebuilt (this kind of information is missing from the current grype DB, but could be added). We could use this package-rebuild information from advisories to decide weather or not the indirect match should be included at all, leading to potentially fewer FPs here.
This is an incomplete idea though: what is missing is finding an example of an advisory that is missing package build information which would lead to the conclusion that the indirect package match is invalid.
The text was updated successfully, but these errors were encountered:
For Oracle at least we are already pulling in all of the packages that were rebuilt for the advisory and that is where the exact-direct-matches are coming from, so for that case at least #1931 would already handle this. I am unsure if we currently pull in all of that information for Amazon advisories so we'll have to investigate that further
Today we look at source RPMs on RPMs to find additional matches, for example, the RPM for
perl-Errno
hasperl
listed as the source RPM... so we will additionally search forperl
package vulnerabilities when we run across theperl-Errno
package during matching. However, this can be a source of false positives.That being said some advisories include each package that was potentially affected and rebuilt (this kind of information is missing from the current grype DB, but could be added). We could use this package-rebuild information from advisories to decide weather or not the indirect match should be included at all, leading to potentially fewer FPs here.
This is an incomplete idea though: what is missing is finding an example of an advisory that is missing package build information which would lead to the conclusion that the indirect package match is invalid.
The text was updated successfully, but these errors were encountered: