Will Murphy comments

Results 364 comments of


                                            Will Murphy

FP in upstream of a package that doesn't exist

`grype --distro ubuntu:22.04 'pkg:deb/[email protected]?upstream=linux'` shows 1844 matches, which I think reproduces this issue. I think we could add `linux-tools-common` to this block of rules where we don't pull in the...

make it configurable what grype assumes when incoming package to grype is missing dpkg/RPM epoch

We discussed this a bit offline, and we think the config makes sense to have two options: 1. If the epoch is missing, assume the epoch is `0`. Effectively prepend...

make it configurable what grype assumes when incoming package to grype is missing dpkg/RPM epoch

I added `needs-discussion` to discuss whether the new behavior should be the default. It might be a big change, but it might be better than the current behavior. Edit: It...

make it configurable what grype assumes when incoming package to grype is missing dpkg/RPM epoch

We discussed this at a [recent livestream](https://anchorecommunity.discourse.group/t/october-2nd-open-source-gardening-live-stream/572?u=willmurphy). We decided that we'll implement this config, but that it will be _opt-in_. That is, we'll keep adding `0:` to RPMs and dpkgs...

For Python:3.12 image it is showing the fixed version as use python:3.14

This is (tangentially) related to the discussion at https://github.com/anchore/grype/issues/2615. I think we're a little bit inconsistent on the difference between distro and language framework here. Grype will happily suggest jumping...

For Python:3.12 image it is showing the fixed version as use python:3.14

There was another attempt to address this with https://github.com/anchore/grype/issues/2264, which basically says, "if you're scanning a Java 11 app, and there are CVEs against the JDK, please highlight the fix...

False Positive: GHSA-rqc4-2hc7-8c8v (CVE-2024-53899) virtualenv GHSA-hc5x-x2vx-497g (CVE-2024-6827) gunicorn coming from Python ecosystem

Thanks for the report @etarast. This is blocked on https://github.com/anchore/vunnel/issues/626 - please follow that issue for updates.

Golang: Extract package level usage from the go binary for accurate license information

I've added "needs discussion" to this issue so that we can discuss the UX and implementation for showing different licensing info for different Go packages within the same Syft package...

EUS not affected packages are showing as affected (0.97.1)

Hi @pkeecom, I'm trying to make sure I understand this issue: 1. You have a lot of CVEs showing up when scanning a RHEL EUS 9.4 system 2. You're passing...

False positive: CVE-2017-11624 CVE-2017-11625 CVE-2017-11627 on libqpdf26 package, FIXED-IN confusion between libqpdf26 and qpdf

Hi @sekveaja thanks for the report! I was able to reproduce this issue. It looks like, basically what is happening, is that Syft finds a package like this: ``` pkg:rpm/sles/[email protected]?arch=aarch64&distro=sles-15.6&upstream=qpdf-9.0.2-150200.3.3.1.src.rpm...