Distinguish OS package vs unofficial packages #2549
Labels
enhancement
New feature or request
planning
high level epic that should be broken into smaller tasks
Comments
|
There is a ongoing conversation about how to do this with alpine packages: anchore/grype#827 . As of this time it isn't clear what the way forward is for alpine. |
|
There is also another issue that talks about multiple ecosystems, primarily Redhat and Debian #1607 |
wagoodman
added
the
planning
|
What about an approach in grype in the meantime within SearchByDistro where it would first search in the distro namespace for any packages matching the name (or parent package name), and if it finds nothing fall back to CPE matching? Maybe make it configurable or something? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Today syft does not distinguish between RPMs from the official distro provider vs RPMs that were curled and installed from unofficial sources. This is valuable to detect, and applies to mulitple ecosystems, but the solution is not straight forward or obvious in all cases.
The ecosystems to cover should at least be all of the OS distros we support:
The text was updated successfully, but these errors were encountered: