Comments (2)
dandandy
commented on May 18, 2024
Hi, is this ticket ready to be worked on? If so, I'm interested in taking a look
from grype.
wagoodman
commented on May 18, 2024
@dandandy there is work ready to be picked up, but not in grype quite yet.
Specifically, grype uses syft in order to discover packages... the work that needs to be done first is to add new catalogers to syft to to be able to discover packages from these new sources for pacman and pipenv. I've created a couple of new issues to encapsulate that work: anchore/syft#241 and anchore/syft#242 .
As for adding a new cataloger into syft, let's take pipenv as an example. Pipenv is a cataloger for "index" files which we actively look for when scanning directories and not images. To add a new index cataloger you'd need to:
- create a new parser function that can parse a
pipfile.lockand return a set of packages (for an example, here is the parser function for requirements.txt files) - wire up that parser to the existing index cataloger with the corresponding
**/Pipfile.lockglob: https://github.com/anchore/syft/blob/main/syft/cataloger/python/index_cataloger.go#L12-L16 - add unit tests to cover the parser function
Happy to answer any questions on this work (reach out on those tickets or on the #toolbox-dev slack channel for more realtime conversation)!
from grype.
Related Issues (20)
- CVE-2023-5363 for Debian trixie, but fix package version not available HOT 2
- Grype database missing some NVD CVEs HOT 2
- Add capability to add/remove/change vulnerability data between upstream sources and grype-db HOT 2
- Use the upstream Bitmani vulndb data for matching
- Add a "severity" criterion to ignore rules HOT 1
- False Positive: CVE-2018-8088 in the context of JBOSS EAP eco-system HOT 1
- Add criteria to the "fail-on" CLI flag HOT 4
- False positive find on dotnet packages? HOT 2
- False Positive: CVE-2022-36087 not affected in SLES 15 SP4, SP5 eco-system
- Allow configurting timeout for external-sources HOT 3
- Installation script: Support automatic checksum signature verification HOT 2
- Allow for filtering results based on disputed (or similar) CVE state
- Add info subcommand in order to query grype db vulnerabilities HOT 3
- Seeing "WARN some package(s) are missing CPEs" but it's not clear why HOT 1
- 401 unauthorized pulling from public registry HOT 1
- VEX documents not taken into account when `--fail-on` is set HOT 3
- Difficulty with OpenJDK versions HOT 6
- Option to filter out vulnerabilities of dev dependencies HOT 3
- Parameter `quiet` is ignored in configuration file HOT 1
- `grype db status` doesn't always check the db's checksum and validity HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grype.