Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow CPE parsing failures #425

Merged
merged 2 commits into from
Sep 22, 2021
Merged

Allow CPE parsing failures #425

merged 2 commits into from
Sep 22, 2021

Conversation

luhring
Copy link
Contributor

@luhring luhring commented Sep 22, 2021

Partially addresses #417.

When Grype reads in a user-supplied SBOM from Syft, it needs to convert CPE strings into CPE objects. When malformed CPE strings are supplied, Grype errored out and provided no useful results.

This PR adjusts the CPE parsing logic (within Syft JSON parsing) to log a warning instead of returning an error in the scenario where a user-supplied CPE string cannot be parsed successfully, allowing the logic to continue to other CPEs and other packages that don't have any parsing issues.

Note: We should also make an adjustment in Syft to avoid the creation of malformed CPE strings.

@luhring
Add test to assert no error for parsing Syft JSON with bad CPE strings
cde4e7c 
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
@luhring
Don't require successful CPE parsing
1980deb 
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
@luhring luhring requested a review from a team September 22, 2021 20:26
kzantow
kzantow approved these changes Sep 22, 2021
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one suggestion about logging verbosity, otherwise LGTM

grype/cpe/cpe.go
value, err := pkg.NewCPE(c)
if err != nil {
return nil, err
log.Warnf("unable to hydrate CPE for string %q, omitting from result CPE slice: %v", c, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe "hydrate" -> "parse" ? or less verbose: "Excluding invalid CPE %q: %v"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kzantow I like that! I'll create a PR for this

@Vijay-P Vijay-P mentioned this pull request Sep 22, 2021
Merged
@kzantow kzantow merged commit 119f4b0 into main Sep 22, 2021
@kzantow kzantow deleted the allow-cpe-parsing-failures branch September 22, 2021 22:05
@wagoodman wagoodman added the enhancement New feature or request label Sep 23, 2021
This was referenced Sep 23, 2021
Merged
Merged
spiffcs added a commit that referenced this pull request Oct 1, 2021
@spiffcs
Merge branch 'main' into uniform-constraint-tests
f4bb0f4 
* main:
  Support gomod configuration in goreleaser (#391)
  Update description for Slack link (#439)
  Updates approach for epoch handling in rpm comparisons (#438)
  Feature: Specifying ignore rules for vulnerability matches (#430)
  Update Syft to v0.24.1 (#433)
  pull in grype-db default language namespace namer + fix imbalanced version v prefixes (#434)
  add stock matcher (language + cpe matching) (#432)
  Add SBOM to releases (#429)
  Add announcement for KubeCon meetup (#428)
  Improve log message for CPE parsing error (#426)
  Bugfixes + Integration test for sbom input vs grype library comparison (#424)
  Allow CPE parsing failures (#425)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@luhring @kzantow @wagoodman