-
Notifications
You must be signed in to change notification settings - Fork 531
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fails to discern locally-built apk packages from distro-provided ones #827
Comments
Thanks @kaniini! We'll take a look here and see if we can add a bit more nuance to the APK cataloger and matcher. |
Thanks! There is also |
Syft is also affected for the same reason.
|
I will try to summarize what I understand below, please correct anything I'm mistaken about, I'm not an Alpine expert. The package UUIDs aren't easily available, so trying to match against those doesn't seem like an option. Packages installed from other repositories carry a repository tag. We could try to filter those to match against generic security data rather than the alpine data. I am unsure how we should construct the PURL for packages such as these (if someone else has an answer please speak up) |
@kaniini I'm interested in picking up this work, but I'm not sure I have enough context to start implementing right away. Could you or @joshbressers help me understand:
Is this tag detectable in the built image? Is it specified somewhere I can go read about? |
Reading through https://wiki.alpinelinux.org/wiki/Apk_spec#Installed_Database_V2, it looks like we can check for lines that start with
I read that to mean that, when a package is installed from a particular repository listed in As far as I can tell, I'm also pretty confused about the use of / # cat /lib/apk/db/installed | grep '^C:' | wc -l
17
/ # cat /lib/apk/db/installed | grep '^C:' | sort | uniq | wc -l
17 so I don't think it will be helpful for learning package origins. But I may have misunderstood something in the original post. I'll keep investigating. |
What happened:
We built a test image with a locally built nginx package:
distroless.dev/nginx:latest
The locally built nginx package is matched against Alpine vulnerability data, despite not being from the Alpine ecosystem. The package is pinned to a third-party repository per
/etc/apk/world
:What you expected to happen:
Locally built packages should not match against security data provided by a vendor. This should be detected by matching whether the package UUID (APKINDEX
C:
field) matches any UUIDs in the vendor indices. Or at the very least check if the package is pinned.How to reproduce it (as minimally and precisely as possible):
grype distroless.dev/nginx:latest
Anything else we need to know?:
Environment:
grype version
:cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: