Dan Luhring
Dan Luhring
That's cool! I hadn't seen the qualifier stuff. And what you're saying makes sense, this needs to be accounted for in the Grype DB build.
[tomcat.syft.json](https://github.com/anchore/grype/files/15050305/tomcat.syft.json) This was generated with `wolfictl` which uses Syft. Piping this into `grype` with `GRYPE_MATCH_JAVA_USING_CPES=true` set seems to still exhibit this kind of false positive. ```console $ grype version Application:...
Cleaning out my open PRs, this one's pretty old. Feel free to use if it's ever helpful :)
I'm also concerned about naming files `*.yaml` that don't validate as YAML or work with YAML tooling. I think this makes our ecosystem more difficult to work with, for the...
I'm okay with changing the `.yaml` extension to a `.melangefile` (or whatever) extension, because I think it both **a)** enables the metaprogramming benefits while **b)** not breaking people's existing tooling....
I'd love for us to consider solving this with just YAML. I've been impressed with how elegant Melange has already been in allowing efficient expression in YAML via mechanisms like...
@imjasonh I like that approach! Since `go version -m ...` doesn't have all the SBOM information we'd want on a per-module basis, I'm assuming the `... | sbomthing` would let...
Thanks @tgerla! It looks related for sure. I think this issue (1694) is partially done now, as @spiffcs points out just above... the total count seems right. And my message...
I love all of this. 😍 A couple of small thoughts: 1. According to the spec, in addition to `not_affected`, we'd also want `fixed` to be filtered out from Grype's...
Starting to hit this, too — I'm finding that it takes at least ~1.6s to run just the `LoadVulnerabilityDB` function, and that's without downloading a new database. I don't mind...