Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix false positive for purl provider #1237

Merged
merged 1 commit into from
Apr 21, 2023
Merged

Fix false positive for purl provider #1237

merged 1 commit into from
Apr 21, 2023

Conversation

shanedell
Copy link
Contributor

Fix false positive for purl provider

  • To fix this, updated the purl_provider to have an epoch variable:
    • defaults to 0
    • if epoch= set in the purl file it grabs that value
    • if epoch not in front of version it is added, version=epoch:version

Closes #1031

Testing:

purl file dbus.purl

pkg:rpm/dbus@1.12.8-18.el8?arch=x86_64&epoch=1

command used:

go run main.go purl:dbus.purl --distro rhel:8.6

output without fix:

 ✔ Vulnerability DB        [no update available]
 ✔ Scanning image...       [6 vulnerabilities]
   ├── 0 critical, 2 high, 3 medium, 1 low, 0 negligible
   └── 5 fixed
NAME  INSTALLED      FIXED-IN             TYPE  VULNERABILITY   SEVERITY 
dbus  1.12.8-18.el8  (won't fix)          rpm   CVE-2020-35512  Low       
dbus  1.12.8-18.el8  1:1.12.8-10.el8_2    rpm   CVE-2020-12049  High      
dbus  1.12.8-18.el8  1:1.12.8-23.el8_7.1  rpm   CVE-2022-42010  Medium    
dbus  1.12.8-18.el8  1:1.12.8-23.el8_7.1  rpm   CVE-2022-42011  Medium    
dbus  1.12.8-18.el8  1:1.12.8-23.el8_7.1  rpm   CVE-2022-42012  Medium    
dbus  1.12.8-18.el8  1:1.12.8-9.el8       rpm   CVE-2019-12749  High

output with fix:

 ✔ Vulnerability DB        [no update available]
 ✔ Scanning image...       [4 vulnerabilities]
   ├── 0 critical, 0 high, 3 medium, 1 low, 0 negligible
   └── 3 fixed
NAME  INSTALLED        FIXED-IN             TYPE  VULNERABILITY   SEVERITY 
dbus  1:1.12.8-18.el8  (won't fix)          rpm   CVE-2020-35512  Low       
dbus  1:1.12.8-18.el8  1:1.12.8-23.el8_7.1  rpm   CVE-2022-42010  Medium    
dbus  1:1.12.8-18.el8  1:1.12.8-23.el8_7.1  rpm   CVE-2022-42011  Medium    
dbus  1:1.12.8-18.el8  1:1.12.8-23.el8_7.1  rpm   CVE-2022-42012  Medium

shanedell
shanedell commented Apr 17, 2023
View reviewed changes
grype/pkg/purl_provider.go Outdated Show resolved Hide resolved
@shanedell shanedell force-pushed the purl-provider-fix-fp branch 2 times, most recently from c3f6d7e to 9f77635 Compare April 21, 2023 16:57
@shanedell shanedell requested a review from kzantow April 21, 2023 16:58
@shanedell
Fix false positive for purl provider
1e83613 
- To fix this, updated the purl_provider to have an epoch variable:
  - defaults to 0
  - if epoch= set in the purl file it grabs that value
  - if epoch not in front of version it is added, version=epoch:version

Closes anchore#1031

Signed-off-by: Shane Dell <shanedell100@gmail.com>
kzantow
kzantow approved these changes Apr 21, 2023
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@kzantow kzantow enabled auto-merge (squash) April 21, 2023 17:00
@kzantow kzantow merged commit dfa540f into anchore:main Apr 21, 2023
@shanedell shanedell deleted the purl-provider-fix-fp branch April 21, 2023 17:15
@dependabot dependabot bot mentioned this pull request May 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

False positive with pkg:rpm PURLs
2 participants
@shanedell @kzantow