Christopher Angelo Phillips

icon indicating a website link cphillips.io

icon company Anchore icon location Washington, DC icon location Golang - Rust - Neovim

Results 362 comments of Christopher Angelo Phillips

.grype.yaml ignored

Thanks for the issue @jasonatball! I'll take a look when I have time and see if I can work out why this is broken. If you have any other information...

Integration of only-fixed function in the action

Added this to our backlog so we can talk about when to fit it in

Add config argument

@kzantow I can take a look here today and bring this across the finish line.

Add config argument

Todo: - [ ] Update Docs - [ ] Add Tests - [ ] Change input parameter name

Integrate GitHub security dismissed findings with Grype ignores

@bryopsida currently scan action and the github alerts page are not connected This could be a feature enhancement where we could get scan action to be aware of these alerts...

Update documentation how to continue on failure

Thanks for the context @edwardyufinnai. We'll take a look at if there is any way we can make this better going forward.

Action is not available as an example workflow

https://github.com/actions/starter-workflows/pull/1630

Add the total types of vulnerabilities in Grype output

apologies should have assigned the PR

CVE-2022-29885 matched to java package

It looks like grype is matching on `tomcat-embed-*` in this case. `cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*` => `tomcat-embed-core` `9.0.41` (Seen in syft output) I've added this to our false positive grouping as we're working...

False positive CVE-2020-9493 Apache Chainsaw matching substack/node-chainsaw

Thanks @mstergianis - we're currently working on reducing the FP grype has been reporting. Do you have the CPE from the json output that this is matching incorrectly?