grype
grype copied to clipboard
anchore
A vulnerability scanner for container images and filesystems
**What happened**: Scan on image that has python3-Flask-1.0.4-150400.7.64.noarch installed. It generates high vulnerability: ``` NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY Flask 1.0.4 2.2.5 python GHSA-m2qf-hxjv-5gpq High Jinja2 2.10.1 3.1.4 python...
**What happened**: Scan on image that has python-py-1.10.0-150100.5.12.1.noarch installed. It generates high vulnerability: NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY py 1.10.0 python GHSA-w596-4wvx-j9j6 High JSON format: --------------- "vulnerability": { "id":...
**What happened**: Scan on image that has python3-future-0.18.2-150300.3.3.1.noarch installed. It generates high vulnerability: NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY future 0.18.2 0.18.3 python GHSA-v3c5-jqr6-7qm8 High JSON format: --------------- "vulnerability": {...
**What happened**: Scan on image that has python3-wheel-0.32.3-150100.6.5.1.noarch installed. It generates high vulnerability: NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY wheel 0.32.3 0.38.1 python GHSA-qwmp-2cf2-g9g6 High JSON format: ========= "vulnerability": {...
**What happened**: Scan on image that has python3-protobuf-3.9.2-150200.4.21.1.x86_64 installed. It generates high vulnerability: $ grype --distro sles15.5 suse15.5_python3-protobuf:v1 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY protobuf 3.9.2 3.18.3 python GHSA-8gq9-2x98-w8hf High...
**What happened**: Scan on image that has ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64 installed. It generates high vulnerability: "vulnerability": { "id": "**GHSA-ggxm-pgc9-g7fp**", "dataSource": "https://github.com/advisories/GHSA-ggxm-pgc9-g7fp", "namespace": "github:language:ruby", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-ggxm-pgc9-g7fp" ], : : "relatedVulnerabilities":...
Today we look at source RPMs on RPMs to find additional matches, for example, the RPM for `perl-Errno` has `perl` listed as the source RPM... so we will additionally search...
Today we have a function that checks if the distro package in question is from a "comprehensive feed", such that is can be used to deduplicate matches from non-distro sources...
**What would you like to be added**: It would be good to add the `pkg.Source.Name` and `pkg.Source.Digest` information to the matchable product identifiers when using VEX documents to filter out...
**What would you like to be added**: The `--from` flag, analogous to Syft. **Why is this needed**: Parity with Syft. See: https://github.com/anchore/syft/issues/1783
