Comments (3)
the version object, under the 'rich' member, it will populate a new cpeVersions array regardless of the package type that any package can be matched against CPEs if needed. I'm going to open a draft pr shortly with the updates so you can see
from grype.
I've been working on this a bit and think it warrants some discussion:
CPE matches require the vendor and product name as well as version to determine a match. That information is not present in the version itself per the current implemented structure so I think there are few options:
a. Add additional context to the Version struct itself to carry package name and other metadata necessary for guessing the vendor field. This would be ignored by other version constraint checks.
b. Generate package CPEs when populating the version fields for them (this would be the fuzzy part that is predictive). I've started work on this approach as it seems cleaner in the model as currently implemented.
Feedback appreciated.
from grype.
B seems semantically better and keep stricter concerns than A (that is, in option A we would be adding metadata to the version object that is not of a concern for versions, but really downstream users of the object). Are we saying to add these generated CPEs onto the package object? or somewhere else?
from grype.
Related Issues (20)
- Add option to exclude packages sourced from the SBOM cataloger
- CVE-2023-5363 for Debian trixie, but fix package version not available HOT 2
- Grype database missing some NVD CVEs HOT 2
- Add capability to add/remove/change vulnerability data between upstream sources and grype-db HOT 2
- Use the upstream Bitmani vulndb data for matching
- Add a "severity" criterion to ignore rules HOT 1
- False Positive: CVE-2018-8088 in the context of JBOSS EAP eco-system HOT 1
- Add criteria to the "fail-on" CLI flag HOT 4
- False positive find on dotnet packages? HOT 2
- False Positive: CVE-2022-36087 not affected in SLES 15 SP4, SP5 eco-system
- Allow configurting timeout for external-sources HOT 3
- Installation script: Support automatic checksum signature verification HOT 2
- Allow for filtering results based on disputed (or similar) CVE state
- Add info subcommand in order to query grype db vulnerabilities HOT 3
- Seeing "WARN some package(s) are missing CPEs" but it's not clear why HOT 1
- 401 unauthorized pulling from public registry HOT 1
- VEX documents not taken into account when `--fail-on` is set HOT 3
- Difficulty with OpenJDK versions HOT 6
- Option to filter out vulnerabilities of dev dependencies HOT 3
- Parameter `quiet` is ignored in configuration file HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grype.