Comments (5)
If possible, I'd prefer to filter to ignored matches rather than opaquely dropping, since the matches are valid based on the data. The issue is the semantics of those specific packages and their known relationships.
from grype.
I've started working on something here to add a new built-in set of ignore rules that would apply by default but able to be skipped via a config option.
from grype.
I've looked into the debian-based case and it looks like the kernel headers packages are less stably-named there so I'll focus my efforts initially on RPM/redhat-based solution and then we can discuss things like if we want to support ignore rules that do a package-name wildcard match (e.g. "linux-headers-*" since debian uses "linux-headers-amd64" and "linux-headers-arm64") so the issue manifests a little bit differently in those distros.
from grype.
Summarizing some offline conversations... a path forward here could be to:
- For RHEL environments only: drop or filter matches that are against
kernel-headers
and are an indirect match. - For Debian environments only: drop or filter matches that are against
linux-headers
and are an indirect match.
The distinction between dropping and filtering (showing up in the ignored matches section) should be considered carefully.
from grype.
note: this still needs an update for the non-rpm cases.
from grype.
Related Issues (20)
- vex: Add package name to VEX product identifiers HOT 1
- False positive: GHSA-h4m5-qpfp-3mpv (CVE-2021-42771) in SLES 15.5
- False positive: GHSA-43fp-rhv2-5gv8 (CVE-2022-23491), GHSA-xqr8-7jwr-rhp7 (CVE-2023-37920) python3-certifi in SLES 15.5 Ecosystem
- grype db diff consumes lots of memory
- FP CVE-2024-20932 on jdk8 HOT 2
- Add `--from` flag
- Deduplicate vulnerabilities for SUSE linux
- Exit with a different return code for a failed scan
- False positive: GHSA-v973-fxgf-6xhp (CVE-2022-40023) in SLES 15.5 Ecosystem
- False positive: GHSA-qwmp-2cf2-g9g6 (CVE-2022-40898) in SLES 15.5 Ecosystem
- False positive: GHSA-v3c5-jqr6-7qm8 (CVE-2022-40899) in SLES 15.5 Ecosystem
- False positive: GHSA-w596-4wvx-j9j6 (CVE-2022-42969) in SLES 15.5 Ecosystem
- Remove wordpress mentions in false positive list HOT 2
- Prefer direct match information over indirect matches HOT 5
- Look at package rebuild info on advisories for indirect matches HOT 2
- False positive: GHSA-x4qr-2fvf-3mr5 (CVE-2023-0286) in SLES 15.5 Ecosystem but trigger by cryptography
- False positive: GHSA-xg9f-g7g7-2323 (CVE-2023-25577) python3-Werkzeug in SLES 15.5 Ecosystem
- False positive: GHSA-m2qf-hxjv-5gpq (CVE-2023-30861) python3-Flash in SLES 15.5 Ecosystem
- Can you control the internal format used by Syft when scanning a directory? HOT 2
- grype db is not being downloaded HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grype.