grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

View Past Vulnerabilites in Package

Open cpendery opened this issue 2 years ago • 2 comments

What would you like to be added: I'd like to have a method of observing any vulnerabilities that have occurred for a package's past versions

Why is this needed: I'd like to use Grype's matching ability to evaluate a package's vulnerability history. I'm happy to just use it at an api level, so no need to add cli support for this functionality

Additional context: I'm happy to contribute support for this, but if this isn't something you want to add or have supported long term, please let me know. I think the work would be centered on updating ByCriteria's 3 search methods to allow for this version-less matching to be turned on https://github.com/anchore/grype/blob/d5ff4ef9dc0f52abb5b5b8b75c00a7783dc74238/grype/search/criteria.go#L23

cpendery avatar Jul 27 '22 22:07 cpendery

I can see value in data such as this

I'm not sure we want versionless matching though

If I was looking at output, I would rather see a list of things currently affected, and things fixed with version fixed in. If we remove the version we end up with a list that would be all affected (unless I am misunderstanding your suggestion)

joshbressers avatar Jul 28 '22 13:07 joshbressers

I agree that a normal user of Grype wouldn't want this behavior to be exposed, so I was hoping to make it configurable only at an api level without ever exposing it via configuration (so no user of the cli would accidentally stumble upon it). I am looking for a list of all the versions that were affected, so you're right on point there @joshbressers . Maybe instead of changing the existing methods, we could add a new method called GetVulnerabilityHistory that takes in a list of Packages and returns for each package all of the past vulnerabilities? Happy for any suggestions on how this could be added without making things too complex for other users or if it's taking Grype out of scope by using it to produce essential time series data rather than snapshot data, I can just drop the idea.

cpendery avatar Jul 28 '22 19:07 cpendery

It's an interesting idea, and based on the search features that exist today I think this would be a relatively small lift to add. (side note, it could even be an interesting grype db search command [needs a lot more thought]). But adding this to at least the API would be alright 👍

wagoodman avatar Dec 15 '22 21:12 wagoodman