Comments (4)
Hi @willyw0nka! Thanks for the request.
Do you have a specific example of syft <whatever> -o json | grype
doing the wrong thing, or particular config you wish was available?
Not every option in the syft config is applicable to grype. For example, syft and grype have a different set of output options, grype has configs for ignoring vulns but syft doesn't have those. Syft has config options to, for example, make network calls that download licensing information for some packages, but this information would just be thrown away during a grype scan. There might be options we can duplicate from Syft to Grype, or maybe make Grype parse a subset of Syft config, but it won't work to just point Grype at a whole Syft config without some real thought, which is why I ask which particular things are not working or configs seem to be missing.
from grype.
Hi @willmurphyscode 👋, thanks for the reply.
Asuming that ~/.config/syft/config.yaml
contains the following:
java:
use-network: true
Let's scan an example project
git clone https://github.com/idealo/spring-endpoint-exporter.git
grype spring-endpoint-exporter
The shown output is the following
✔ Vulnerability DB [no update available]
✔ Indexed file system spring-endpoint-exporter
✔ Cataloged contents 9552afa469acfc6021761747ae604a09890febf735b3b74a06161652d89815ca
├── ✔ Packages [23 packages]
└── ✔ Executables [0 executables]
✔ Scanned for vulnerabilities [1 vulnerability matches]
├── by severity: 1 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 1 fixed, 0 not-fixed, 0 ignored
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
spring-boot-starter-web 2.5.12 java-archive GHSA-36p3-wjmg-h94x Critical
This project appears to have a critical vulnerability 😱. The reason for this is that the spring-boot-starter-web
version could not be read from pom.xml.
Let's try now to scan the same project using syft first and passing the generated SBOM to grype.
syft spring-endpoint-exporter -o json | grype
Which generates the following output
✔ Indexed file system spring-endpoint-exporter
✔ Cataloged contents 9552afa469acfc6021761747ae604a09890febf735b3b74a06161652d89815ca
├── ✔ Packages [23 packages]
└── ✔ Executables [0 executables]
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
No vulnerabilities found
Yay! No vulnerabilities found! 😄
So the enhanhement request is the following: could grype read grype config and syft config? Does this make sense?
from grype.
Hey @willyw0nka, thanks much for the details. We're discussing this as a team and we've learned a couple of things: we're concerned that parsing syft config by default would confuse users and cause unintended changes in behavior, but we're open to adding an option to allow grype to call syft with config parsing enabled.
Possible options:
- add a --use-my-syft-config option to turn on syft config parsing
- add a --use-this-syft-config-file to parse a specific file
- add some sort of syft config top-level section to grype configuration
- keep existing behavior: do nothing and ask people to run syft | grype
Dev note: maintenance-wise, the solution should think through minimizing changes that have to be duplicated between Syft and Grype together. One complication: if Syft config is newer than the version of Syft included in Grype, problems could occur.
from grype.
Thank you for the feedback! After considering the current situation and potential solutions, I believe sticking to the --use-this-syft-config-file
option is the best course of action. This option offers the most self-descriptive behavior and minimizes potential confusion.
While it is true that this implementation could lead to issues if the syft version is newer than grype, it remains (in my opinion) the easiest option to utilize as an user.
from grype.
Related Issues (20)
- False Positive: GHSA-g98m-96g9-wfjq CVE-2019-3881 ruby2.5-rubygem-bundler in SUSE ecosystem
- Fails to parse go stdlib version when experiments are set HOT 6
- False positive: GHSA-jphg-qwrw-7w9g (CVE-2020-10663) in SLES 15.5
- False positives for github.com/hashicorp/consul: Installed version reported as v0.0.0 HOT 3
- Support for Fedora CoreOS 36 -> OKD/OpenShift HOT 2
- Scan Directory: Add (git) version HOT 2
- Refactor matching process to be chained processors
- False positive: GHSA-537h-rv9q-vvph (CVE-2020-13757) in SLES 15.5
- False positive: GHSA-gwfg-cqmg-cf8f (CVE-2020-25613) in SLES 15.5
- False positive: GHSA-9w8r-397f-prfh (CVE-2021-20270), GHSA-pq64-v7f5-gqh8 (CVE-2021-27291) in SLES 15.5
- Inconsistent naming of matchDetails.searchedBy.package field HOT 1
- Latest database cannot be downloaded via grype db update HOT 2
- Template models use go structs instead of JSON shape HOT 1
- Grype should respect `--source-name` and `--source-version` as Syft does
- grype db import fails HOT 2
- Grype failed to load vulnerability database: database metadata not found HOT 3
- @jridgewell/gen-mapping incorrectly attributed GHSA-8rmg-jf7p-4p22 HOT 2
- List only vulnerabilities from a level and above HOT 1
- False positive: GHSA-ggxm-pgc9-g7fp (CVE-2021-31799) in SLES 15.5
- False positive: GHSA-q2q7-5pp4-w6pg (CVE-2021-33503) in SLES 15.5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grype.