Dan Luhring
Dan Luhring
@zhill If you get a chance, can you take a look at this? It sounds like this may not be a Grype-specific issue, but perhaps an issue with a deployment...
This is a great idea, and it's something we've been talking about. The latest thought is to either use GPG or Sigstore. Regarding "what we sign", ideally we sign all...
This is such a great idea. 🎉 Also leaving a couple of thoughts... - Not all of Grype's matches have CVSS data, since it depends on if the matched upstream...
There are two different data sources being used between these two matches. It looks like the Ubuntu image is being matched with Ubuntu's vulnerability data for CVE-2018-25032 — https://ubuntu.com/security/CVE-2018-25032. This...
Adding repro steps: ```sh # Download the JAR mentioned above curl -LO https://repo1.maven.org/maven2/org/slf4j/log4j-over-slf4j/1.7.36/log4j-over-slf4j-1.7.36.jar # Scan the JAR with Grype grype ./log4j-over-slf4j-1.7.36.jar -o json > ./result.json # Isolate the false positive...
Hi @Dentrax, thanks for the issue! I saw you ran this command: ``` grype golang:1.17 --output cyclonedx --file result1 ``` The CycloneDX output contains data that's known to be nondeterministic,...
Cool! For how to use templates with Grype, see: https://github.com/anchore/grype#using-templates For the JSON output format (and possibly others), I think it's worth a discussion on if we want to modify...
Another thought... in the name of reproducible results, even with code changes to Grype's output formats, I think we should document the additional steps needed to be performed **_by the...
That's interesting. Would we want to upload the scan signature+digest to Rekor? I'm not familiar with how this would fit into Fulcio yet. --- >we can ensure any image `foo@sha256:bar`...
>But what if we are using the same vuln-db version? Let's assume we have the vuln-db versioned v1. And 2 same images with the same digests. In this case, would...