Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: match against debian unstable #1593

Merged
merged 1 commit into from
Nov 8, 2023
Merged

feat: match against debian unstable #1593

merged 1 commit into from
Nov 8, 2023

Conversation

willmurphyscode
Copy link
Contributor

@willmurphyscode willmurphyscode commented Nov 8, 2023
edited
Loading

Fixes #1446

Works by special casing debian:unstable to skip semver creation / parsing in a couple of places.

Manual testing done

(go run cmd/grype/main.go is this change, grype is v0.73.0 from homebrew)

from the original issue

❯ go run cmd/grype/main.go r-base:latest
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                                                                                                                                                                                                                                                           r-base:latest
 ✔ Parsed image                                                                                                                                                                                                                                                                                 sha256:b49a24a003b91ee33a171c5491fb3add7152c7bb5e928d9d69f0e7fde7bff638
 ✔ Cataloged packages              [301 packages]
 ✔ Scanned for vulnerabilities     [284 vulnerability matches]
   ├── by severity: 3 critical, 23 high, 22 medium, 5 low, 224 negligible (7 unknown)
   └── by status:   30 fixed, 254 not-fixed, 0 ignored
NAME                        INSTALLED          FIXED-IN      TYPE  VULNERABILITY     SEVERITY
apt                         2.7.6                            deb   CVE-2011-3374     Negligible
binutils                    2.41-5                           deb   CVE-2021-32256    Negligible
binutils                    2.41-5                           deb   CVE-2018-9996     Negligible
binutils                    2.41-5                           deb   CVE-2018-20712    Negligible
... snip

❯ go run cmd/grype/main.go r-base:latest | wc -l
... snip
     285

testing against debian:testing directly

❯ go run cmd/grype/main.go -q -o json debian:testing | jq '.matches[0].vulnerability.namespace'
"debian:distro:debian:unstable"
❯ go run cmd/grype/main.go debian:testing
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                                                                                                                                                                                                                                                          debian:testing
 ✔ Parsed image                                                                                                                                                                                                                                                                                 sha256:0450fd13eb205233d4ad56781f0018843029ac48b8f40172a7378edd88562857
 ✔ Cataloged packages              [87 packages]
 ✔ Scanned for vulnerabilities     [46 vulnerability matches]
   ├── by severity: 1 critical, 1 high, 0 medium, 1 low, 43 negligible
   └── by status:   0 fixed, 46 not-fixed, 0 ignored
NAME           INSTALLED        FIXED-IN  TYPE  VULNERABILITY     SEVERITY
apt            2.7.6                      deb   CVE-2011-3374     Negligible
bsdutils       1:2.39.2-4                 deb   CVE-2022-0563     Negligible
coreutils      9.1-1                      deb   CVE-2016-2781     Low
... snip

As opposed to:

❯ grype debian:testing
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                                                                                                                                                                                                                                                          debian:testing
 ✔ Parsed image                                                                                                                                                                                                                                                                                 sha256:0450fd13eb205233d4ad56781f0018843029ac48b8f40172a7378edd88562857
 ✔ Cataloged packages              [87 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities found

@willmurphyscode
feat: match against debian unstable
cd86248 
Signed-off-by: Will Murphy <will.murphy@anchore.com>
@westonsteimel
Copy link
Contributor

I've also verified this gets the expected results on some test images

@willmurphyscode willmurphyscode merged commit 1afcf1f into main Nov 8, 2023
9 checks passed
@willmurphyscode willmurphyscode deleted the fix/grype-1446 branch November 8, 2023 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

False negatives when scanning debian trixie/sid images from Dockerhub
3 participants
@willmurphyscode @westonsteimel @kzantow