grype-db icon indicating copy to clipboard operation
grype-db copied to clipboard
verified publisher icon anchore

feat: handle ROOTIO_UNAFFECTED markers in OS transformer

Open chait-slim opened this issue 1 month ago • 1 comments

  • Recognize ROOTIO_UNAFFECTED version markers from vunnel
  • Set NotAffectedFixStatus for Root.io unaffected vulnerabilities
  • Handle Root.io namespace format (rootio:distro:alpine:3.17)
  • Add Root.io reference URL and tags for tracking
  • Include unit tests for new functionality

This enables grype-db to properly process Root.io security patches and prevent false positive vulnerability matches.

Signed-off-by: Chai Tadmor [email protected]

chait-slim avatar Nov 03 '25 20:11 chait-slim

In its current form, this is not the change suggested at https://github.com/anchore/vunnel/pull/863#issuecomment-3461817801 .

https://github.com/anchore/grype-db/pull/686/files#diff-af698832ba49e27cd15a534e0c885e607ec0eb94a07cd2165f03f09a2265bcbeR61-R70 has an example.

To re-iterate:

  1. Vunnel should emit records that mean "rootio has published a fix for CVE X in version Y"
  2. Grype-DB should pick up those records and emit UnaffectedPackageHandles in the database
  3. Grype should query for those UnaffectedPackageHandle and use them to filter out packages that root-io has fixed.

willmurphyscode avatar Nov 13 '25 16:11 willmurphyscode

In its current form, this is not the change suggested at anchore/vunnel#863 (comment) .

https://github.com/anchore/grype-db/pull/686/files#diff-af698832ba49e27cd15a534e0c885e607ec0eb94a07cd2165f03f09a2265bcbeR61-R70 has an example.

To re-iterate:

  1. Vunnel should emit records that mean "rootio has published a fix for CVE X in version Y"
  2. Grype-DB should pick up those records and emit UnaffectedPackageHandles in the database
  3. Grype should query for those UnaffectedPackageHandle and use them to filter out packages that root-io has fixed.

@willmurphyscode I've refactored the three PRs according to the requirements and comments. Given what I understand about the project and your comments I think the PRs will meet the requirements much better now

chait-slim avatar Nov 23 '25 13:11 chait-slim

In its current form, this is not the change suggested at anchore/vunnel#863 (comment) . https://github.com/anchore/grype-db/pull/686/files#diff-af698832ba49e27cd15a534e0c885e607ec0eb94a07cd2165f03f09a2265bcbeR61-R70 has an example. To re-iterate:

  1. Vunnel should emit records that mean "rootio has published a fix for CVE X in version Y"
  2. Grype-DB should pick up those records and emit UnaffectedPackageHandles in the database
  3. Grype should query for those UnaffectedPackageHandle and use them to filter out packages that root-io has fixed.

@willmurphyscode I've refactored the three PRs according to the requirements and comments. Given what I understand about the project and your comments I think the PRs will meet the requirements much better now

Hi @willmurphyscode did you get a chance to look at the updated PRs?

chait-slim avatar Dec 03 '25 14:12 chait-slim