-
Notifications
You must be signed in to change notification settings - Fork 531
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow CPE parsing failures #425
Conversation
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one suggestion about logging verbosity, otherwise LGTM
value, err := pkg.NewCPE(c) | ||
if err != nil { | ||
return nil, err | ||
log.Warnf("unable to hydrate CPE for string %q, omitting from result CPE slice: %v", c, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe "hydrate" -> "parse" ? or less verbose: "Excluding invalid CPE %q: %v"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kzantow I like that! I'll create a PR for this
* main: Support gomod configuration in goreleaser (#391) Update description for Slack link (#439) Updates approach for epoch handling in rpm comparisons (#438) Feature: Specifying ignore rules for vulnerability matches (#430) Update Syft to v0.24.1 (#433) pull in grype-db default language namespace namer + fix imbalanced version v prefixes (#434) add stock matcher (language + cpe matching) (#432) Add SBOM to releases (#429) Add announcement for KubeCon meetup (#428) Improve log message for CPE parsing error (#426) Bugfixes + Integration test for sbom input vs grype library comparison (#424) Allow CPE parsing failures (#425)
Partially addresses #417.
When Grype reads in a user-supplied SBOM from Syft, it needs to convert CPE strings into CPE objects. When malformed CPE strings are supplied, Grype errored out and provided no useful results.
This PR adjusts the CPE parsing logic (within Syft JSON parsing) to log a warning instead of returning an error in the scenario where a user-supplied CPE string cannot be parsed successfully, allowing the logic to continue to other CPEs and other packages that don't have any parsing issues.
Note: We should also make an adjustment in Syft to avoid the creation of malformed CPE strings.