Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "Alpine Linux" to IDMapping; handle no CPEs error in findApkPackage. #2040

Merged
merged 4 commits into from
Aug 16, 2024
Merged

Add "Alpine Linux" to IDMapping; handle no CPEs error in findApkPackage. #2040

merged 4 commits into from
Aug 16, 2024

Conversation

aeg
Copy link
Contributor

@aeg aeg commented Aug 7, 2024

Even if there are vulnerability scan results for search.ByPackageDistro in apk matcher, if the SBOM does not have a CPE set, the results are ignored and the vulnerability search result becomes empty.

resolves #2039

And amazon Inspector sbom generator genereta this component.

    {
      "bom-ref": "comp-2",
      "type": "operating-system",
      "name": "Alpine Linux",
      "version": "3.17.1"
    }

To make grype recognize this file as Alpine, you need to add the following entry to grype/distro/type.go:
"Alpine Linux": Alpine,

@aeg aeg mentioned this pull request Aug 9, 2024
Closed
@spiffcs
Copy link
Contributor

spiffcs commented Aug 13, 2024

Hi @aeg!

Would you be able to sign the DCO for this PR?

Here are the instructions on how to do this:
https://github.com/anchore/grype/pull/2040/checks?check_run_id=28493855535

@spiffcs spiffcs self-requested a review August 13, 2024 16:23
Eiji Ito added 2 commits August 15, 2024 22:52
Add "Alpine Linux" to IDMapping; handle no CPEs error in findApkPackage.
ab36155 
Signed-off-by: Eiji Ito <aeffy7@gmail.com>
Remove unused errNoCPEs and update error handling in findApkPackage f…
bd9d6c0 
…unction.

Signed-off-by: Eiji Ito <aeffy7@gmail.com>
@spiffcs
Copy link
Contributor

spiffcs commented Aug 16, 2024

Thanks @aeg - I'm just getting a test written here that covers any regressions in this area - really appreciate the patch 👍

@spiffcs
test: prove test fails without fix
7af7095 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs
fix: revert contributed fix
823602d 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs
Copy link
Contributor

spiffcs commented Aug 16, 2024

@anchore/tools just to reiterate from the issue, this increases grype's vulnerability report for alpine pretty significantly

See the output in the below issue:
#2039

I agree with the fix here since we do NOT want to throw away secDB matches based on a package in an SBOM being scanned (not generated by syft) causing this error if there are no CPE on the package.

@spiffcs spiffcs enabled auto-merge (squash) August 16, 2024 19:00
@spiffcs spiffcs merged commit 7dfa436 into anchore:main Aug 16, 2024
10 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Aug 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ignoring search results when CPE is not set in the SBOM
2 participants
@aeg @spiffcs