Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: disable cpe vendor wildcards to reduce false positives #1647

Merged
merged 2 commits into from
Mar 3, 2023
Merged

feat: disable cpe vendor wildcards to reduce false positives #1647

merged 2 commits into from
Mar 3, 2023

Conversation

westonsteimel
Copy link
Contributor

Currently, syft is still generating * for the vendor for Ruby and javascript, but this seems unnecessary and is as source of many reported false positives in Grype. I have added the URL -> vendor candidates parsing logic for both as well. Both ecosystems are already well-covered by GitHub Security Advisories anyways, so CPE's are becoming increasingly irrelevant to both. Also we've already disabled wildcard vendors for java and that was the ecosystem where we were most likely to be catching something unknown (though still also catching enormous numbers of false positives)

@westonsteimel
improved parsing of vendor from github url
47b5bb9 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel westonsteimel reopened this Mar 3, 2023
@github-actions
Copy link

github-actions bot commented Mar 3, 2023
edited
Loading

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
goos: linux
goarch: amd64
pkg: github.com/anchore/syft/test/integration
cpu: Intel(R) Xeon(R) Platinum 8272CL CPU @ 2.60GHz
                                                          │ ./.tmp/benchmark-1bb9170.txt │
                                                          │            sec/op            │
ImagePackageCatalogers/alpmdb-cataloger-2                                   11.81m ±  1%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             856.4µ ± 16%
ImagePackageCatalogers/python-package-cataloger-2                           3.061m ±  1%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   698.6µ ±  1%
ImagePackageCatalogers/javascript-package-cataloger-2                       405.7µ ±  0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   511.7µ ±  1%
ImagePackageCatalogers/rpm-db-cataloger-2                                   491.4µ ±  1%
ImagePackageCatalogers/java-cataloger-2                                     11.09m ±  1%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     8.219µ ±  4%
ImagePackageCatalogers/apkdb-cataloger-2                                    558.3µ ±  1%
ImagePackageCatalogers/go-module-binary-cataloger-2                         19.11µ ±  1%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              995.2µ ±  3%
ImagePackageCatalogers/portage-cataloger-2                                  320.5µ ±  2%
ImagePackageCatalogers/sbom-cataloger-2                                     105.3µ ±  1%
ImagePackageCatalogers/binary-cataloger-2                                   180.5µ ±  0%
geomean                                                                     472.3µ

                                                          │ ./.tmp/benchmark-1bb9170.txt │
                                                          │             B/op             │
ImagePackageCatalogers/alpmdb-cataloger-2                                   5.061Mi ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             124.1Ki ± 0%
ImagePackageCatalogers/python-package-cataloger-2                           946.5Ki ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   156.0Ki ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                       98.13Ki ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   144.8Ki ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                   170.3Ki ± 0%
ImagePackageCatalogers/java-cataloger-2                                     2.722Mi ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     1.555Ki ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                    129.2Ki ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                         3.133Ki ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              314.7Ki ± 0%
ImagePackageCatalogers/portage-cataloger-2                                  75.48Ki ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                     13.08Ki ± 0%
ImagePackageCatalogers/binary-cataloger-2                                   26.95Ki ± 0%
geomean                                                                     108.4Ki

                                                          │ ./.tmp/benchmark-1bb9170.txt │
                                                          │          allocs/op           │
ImagePackageCatalogers/alpmdb-cataloger-2                                    86.71k ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                              2.049k ± 0%
ImagePackageCatalogers/python-package-cataloger-2                            15.49k ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                    3.458k ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                        1.381k ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                    2.646k ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                    3.759k ± 0%
ImagePackageCatalogers/java-cataloger-2                                      38.26k ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                       40.00 ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                     3.438k ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                           101.0 ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                               5.011k ± 0%
ImagePackageCatalogers/portage-cataloger-2                                   1.487k ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                       392.0 ± 0%
ImagePackageCatalogers/binary-cataloger-2                                     772.0 ± 0%
geomean                                                                      2.220k

@westonsteimel
stop generating wildcard vendors
ebd0639 
Add logic for parsing javascript and ruby package vendor candidates from
url and author fields and stop generating wildcard vendor candidates

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
kzantow
kzantow approved these changes Mar 3, 2023
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@westonsteimel westonsteimel merged commit c4cbe21 into main Mar 3, 2023
@westonsteimel westonsteimel deleted the disable-cpe-vendor-wildcard branch March 3, 2023 17:26
@westonsteimel westonsteimel added the changelog-ignore Don't include this issue in the release changelog label Mar 8, 2023
@willmurphyscode willmurphyscode mentioned this pull request Jun 26, 2023
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@westonsteimel
feat: disable cpe vendor wildcards to reduce false positives (anchore…
3b7674d 
…#1647)

* improved parsing of vendor from github url

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* stop generating wildcard vendors

Add logic for parsing javascript and ruby package vendor candidates from
url and author fields and stop generating wildcard vendor candidates

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

---------

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
changelog-ignore Don't include this issue in the release changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@westonsteimel @kzantow