Weston Steimel
Weston Steimel
So how do we actually go about adding new data sources for grype? Is the existing process documented somewhere?
~~Ah, so would it be somewhere in https://github.com/anchore/anchore-engine/tree/master/anchore_engine/services/policy_engine/engine/feeds?~~ No, I guess these are the legacy ones
Thanks for the report @tgagneret-embedded . This happens because we currently only load application type CPEs into the published grype databases (since we know syft and grype can't yet discover...
Yes, so I'm already working on a feature for this internally. It will be configurable to define some hierarchy of namespaces which should be considered authoritative. I'll let you know...
So what we are planning to do here is to eventually disable CPE-based matching by default. @wagoodman is currently working on getting a quality check implemented within Grype so that...
You can disable per matcher in the config file https://github.com/anchore/grype#configuration by setting `using-cpes: false` ```yaml match: # sets the matchers below to use cpes when trying to find # vulnerability...
> And another one, where the CVE origins can't get their act correctly and make another mess: a match of `CVE-2015-5237` on google.golang.org/protobuf ... which actually is the golang version,...
The schema has also stabilized now per https://ossf.github.io/osv-schema/#status---2021-09-08
Thanks so much for working on this integration! As a start I'd be really interested in seeing the full sbom output per stage of a multi-stage dockerfile.
@willmurphyscode , this is because it doesn't currently account for architecture differences so it takes the max fix among them. So for x86_64 the fix version was `rsyslog-8.24.0-57.0.1.el7_9.3` but for...