-
Notifications
You must be signed in to change notification settings - Fork 594
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: filter out packages owned by OS packages #1387
Conversation
32a96ce
to
673670e
Compare
The quality gate is failing in an interesting way. Let's take this example: Quality gate failure snippet:Testing image: docker.io/sonatype/nexus3@sha256:e8fea6b4279f2b5b24b36170459cb7aa3d6afe999f9d3e3713541be28bae8ec4 Running relative comparison... Running comparison against labels... Match differences between tooling (with labels):
But the code still finds these vulnerabilites. Let's take 2 examples:
The image is vulnerability, and both the latest release of grype and this feature branch report the image as vulnerable. But this feature branch (correctly, I think) reports 1 fewer affected packages, because the python package |
Let's look at the GHSAs, since this branch no longer finds them. First up is
So let's take a look at the syft packages that are here:
So here the rpm |
Looking at the other GHSA, GHSA-wqvq-5m8c-6g24:
Again, the RPM has an earlier fix version than the PyPI record, so this finding was always a false positive for the same reason as described in the previous comment. |
04df898
to
84deda4
Compare
3cfc36b
to
e558222
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great work @willmurphyscode - the persistence in getting the vulnerability labels updated and following through on different examples made for an easy review. I made some nit comments for discussion.
cc @wagoodman for a second 👀
grype/pkg/syft_provider.go
Outdated
|
||
catalog = removePackagesByOverlap(catalog, relationships) | ||
catalog = removePackagesByOverlap(s) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: what do you think of the return type here? we are passing in an sbom s
only for sbom
to be remade with the modified catalog on line 47 down below - what do you think about removePackagesByOerlap
as a method on s
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for catching this. I didn't notice that we were re-assembling another SBOM struct below. I'll see if this can be easily rearranged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM -- minor comment, which is mostly a preferential thing
grype/pkg/package.go
Outdated
if r.Type == artifact.OwnershipByFileOverlapRelationship { | ||
byOverlap[r.To.ID()] = r | ||
} | ||
} | ||
|
||
out := pkg.NewCollection() | ||
|
||
comprehensiveDistroFeed := distroFeedIsComprehensive(sbm.Artifacts.LinuxDistribution) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems a little odd to add this call here rather than, say, passing the sbom to excludePackages
on line 121
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the nice thing about calling it here though is that excludePackage
is minimizing what it needs as inputs.
Alex should probably give the final review of this one
For example, if the rpm "python3-rpm" is installed, it brings a python package called "rpm" with it, which is just python bindings to RPM. But this python package is part of "python3-rpm", and should not be matched against directly. Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
These matches are excluded by the new behavior, but the SBOM format used in these tests doesn't preserve enough information about the match. Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
From the list of packages that are considered OS packages. The reason is that the APK data feed includes fix info, but not underlying metadata info, so we shouldn't prefer APK packages to ecosystem specific packages the way we do for RPMs, for example. Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Make it easier to investigate quality gate failures by printing yardstick scan result IDs with each failure reason. Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
23a982f
to
4ce2f82
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice work 🙌
For example, if the rpm "python3-rpm" is installed, it brings a python package called "rpm" with it, which is just python bindings to RPM. But this python package is part of "python3-rpm", and should not be matched against directly.
Fixes #1373
#1362 won't be fixed anymore because of the comprehensive distro check.