Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for scanning RPM files #917

Merged
merged 1 commit into from
Sep 9, 2022
Merged

Add support for scanning RPM files #917

merged 1 commit into from
Sep 9, 2022

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented Sep 8, 2022
edited
Loading

This PR is a follow-on to anchore/syft#1188, which adds support for scanning RPM files. This aligns the naming from Rpmdb to Rpm in a number of places.

Closes #570

NOTE: scanning RPM files for vulnerabilities may not work as desired, as there is no Linux distribution identified. In the case there are RPMs identified, it may be required to specify a distribution, which requires knowing which version to use:

% grype ~/Downloads/rpm 
 ✔ Vulnerability DB        [no update available]
 ✔ Indexed /Users/kzantow/Downloads/rpm 
 ✔ Cataloged packages      [1 packages]
 ✔ Scanned image           [0 vulnerabilities]

[0000]  WARN Unable to determine the OS distribution. This may result in missing vulnerabilities. You may specify a distro using: --distro <distro>:<version>
No vulnerabilities found

% grype ~/Downloads/rpm --distro centos:6
 ✔ Vulnerability DB        [no update available]
 ✔ Indexed /Users/kzantow/Downloads/rpm 
 ✔ Cataloged packages      [1 packages]
 ✔ Scanned image           [1 vulnerabilities]

NAME        INSTALLED  FIXED-IN     TYPE  VULNERABILITY  SEVERITY 
audit-libs  2.4.5      (won't fix)  rpm   CVE-2015-5186  Medium

@kzantow
Add support for scanning RPM files
43d75d8 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow requested a review from a team September 9, 2022 18:46
wagoodman
wagoodman approved these changes Sep 9, 2022
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the caveat is a good call out, luckily this would only impact directory scans (not image scans) so I feel like this is an alright tradeoff.

@kzantow kzantow merged commit ba73ab3 into anchore:main Sep 9, 2022
@kzantow kzantow deleted the support-rpm-files branch September 9, 2022 18:56
@adriens
Copy link
Contributor

adriens commented Sep 9, 2022

Excellent ❣️

westonsteimel added a commit that referenced this pull request Sep 12, 2022
@westonsteimel
Revert "Add support for scanning RPM files (#917)"
3f531b3 
This reverts commit ba73ab3.

This seems to have introduced some CGO dependencies into Grype.
westonsteimel added a commit that referenced this pull request Sep 12, 2022
@westonsteimel
Revert "Add support for scanning RPM files (#917)"
8bfece9 
This reverts commit ba73ab3.

This seems to have introduced some CGO dependencies into Grype.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@brennoo brennoo mentioned this pull request Sep 28, 2022
Open
spiffcs added a commit to willyw0nka/grype that referenced this pull request Oct 7, 2022
@spiffcs
Merge branch 'main' into feature/grype-update
ddbec1e 
* main: (48 commits)
  Update grype bootstrap tools to latest versions. (anchore#947)
  chore: add more quality gate images (anchore#950)
  Add in-depth quality gate checks (anchore#949)
  Update Syft to v0.58.0 (anchore#941)
  Update grype bootstrap tools to latest versions. (anchore#945)
  Update grype bootstrap tools to latest versions. (anchore#935)
  Update Syft to v0.57.0 (anchore#930)
  Correct falsely copied app-name 'syft' in example (anchore#922)
  Bump github.com/sigstore/cosign from 1.11.1 to 1.12.0 (anchore#927)
  Update grype bootstrap tools to latest versions. (anchore#925)
  Update Syft to v0.56.0 (anchore#919)
  Add support for scanning RPM files (anchore#917)
  remove arch typo - add debug/reg s390x (anchore#915)
  grype release message update (anchore#914)
  feat: extract use cpes in matching logic to be configurable (anchore#911)
  docs: add Singularity to "features" in README (anchore#912)
  docs: improve Singularity image source docs (anchore#910)
  Add Singularity image source (anchore#908)
  Update grype bootstrap tools to latest versions. (anchore#907)
  Update Syft to v0.55.0 (anchore#906)
  ...

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enhancement request for scanner to be able to review rpm packages
3 participants
@kzantow @adriens @wagoodman