Alex Goodman
Alex Goodman
Just summarizing the above highlighted needed features: For CI/CD I'll need individual independent operations for at least: - building a docker image - pushing a docker image - deploying a...
I'll take a stab at this. I'm going to make some assumptions: - This only applies to the Docker executor for now - The requirements.txt must be in the image...
This issue is a bit stale, as long as we're all on the same page about including a `additionalFiles` mechanism I'll give this a shot with python and we can...
This seems to highly related to https://github.com/anchore/syft/issues/562 (we try to keep syft and grype aligned in how you express similar actions on the CLI, which is why I'm roping in...
It might be that in this code section https://github.com/anchore/grype/blob/7f09eebdde6c9744a26fb6aa26e3bc2f4501031b/grype/matcher/apk/matcher.go#L82-L98 we are not adding fix versions on the vuln records when making the match. I think we need to do this...
This is relevant to SARIF output which supports noting line numbers in the output as well as being able to express better source code-like analysis in the future.
summarizing from an online conversation: Today the `source.Location` could be modified to include this information. It would be nice to include a couple different perspectives: a) capturing line numbers and...
Some detail here regarding which ecosystems this will be feasible for in a static-analysis sense (not reaching out to external data sources, such as maven central). SPDX 2.2 relationships are...
@bureado thanks for your thoughts on this --we chatted a lot about this at a recent community meeting and internally as well... I wanted to expose some of these conversations...
from refinement: - this issue should not get picked up directly for work, but instead we should be creating new issues to account for each ecosystem... not byte them all...