Will Murphy
Will Murphy
@juan131 a sync up meeting sounds great. Probably the easiest way to hash out the details is to DM me in our discourse (not discord) instance: https://anchorecommunity.discourse.group/ (`@willmurphy`). I'm traveling...
@juan131 here's the branch I mentioned during the meeting today: https://github.com/anchore/syft/compare/spike-bitnami-cataloger It should help in creating a PR to resolve https://github.com/anchore/syft/issues/3065. Let us know if you have any questions, or...
This wouldn't save space, but currently when RHEL and Mariner feeds report a package as "not affected" we just drop the record in vunnel. It would be helpful if this...
Updated the top comment to point to https://github.com/anchore/grype/issues/1498 as a specific issue for "Capture dates where available".
We need the ability to represent a CVE that affects different packages, but has different severity ratings for each package. As a concrete example, https://security-tracker.debian.org/tracker/CVE-2023-44487 lists a table with multiple...
@westonsteimel we were talking about that yesterday. There might be some big performance gains by splitting the DB by provider. The main drawback I see is that, right now, grype...
Notes for implementation: The Python cataloger reading a `requirements.txt` is dropping lines that don't pin to a specific version because, historically, without an exact name and version Syft would drop...
@joshbressers how should we handle the jruby version of native extensions? `nokogiri` as a regular Ruby gem needs a bunch of native code built to work. I'm assuming that on...
That makes sense. I think this JAR is just part of the Gem, the same way any binary artifacts from compiling native extensions we find would just be part of...
Moving from `needs-discussion` to `needs-investigation`. The next step is to research how / whether Syft can report the native code that's part of PyPI and RubyGem packages (and probably others)....