Tim Gerla

Hi @prabhu, thanks for the report. We are definitely familiar with the shortcomings of CPE generation and CPE matching and we're interested in including some kind of confidence score when...

Hi @Cerebus, thank you for the report! We'll get this taken care of as soon as we can.

Possibly related: https://github.com/anchore/grype/pull/1739 -- it looks like this problem occurs with Go 1.22 but not Go 1.21.

Dev note: we need to move Grype to Binny (https://pkg.go.dev/github.com/anchore/binny -- already used by Syft) to make the bootstrap process more reliable.

Hi @willejs, thank you for the report, we've reproduced this issue on the latest Grype, 0.77.2: Without vex (CVE-2023-1255 shows up): ``` tgerla@Timothys-MacBook-Pro-2 grype-1836 % grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 ✔ Vulnerability DB...

Hi @shyim and @avtar, thanks for the reports and sorry for the delay acknowledging! We will take a look as soon as we can.

Troubleshooting note: looks like a CPE matching problem: ``` "language": "php", "cpes": [ { "cpe": "cpe:2.3:a:redis:redis:6.0.2:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:pecl/[email protected]", "metadataType": "php-pecl-entry", "metadata": { "name": "redis", "version": "6.0.2",...

A little more info here: the reason that this false positive appears is because the PHP redis extension is just called "redis" so when Syft generates a CPE based on...

Hey @willyw0nka, thanks much for the details. We're discussing this as a team and we've learned a couple of things: we're concerned that parsing syft config by default would confuse...

Thanks for the report, @ashearin! We'll get the docs updated soon.