Will Murphy
Will Murphy
Hi @Restage - no particular update here, but https://github.com/anchore/syft/issues/1562 is a discussion of how to enable Syft to capture more information about this type of dependency relationship so that it...
Thanks @cezapata for the excellent repro steps and example repository. I want to try to state the issue as simply as possible so we can try to start working on...
I haven't been able to reproduce this in a general case: ``` sh ❯ syft -o spdx-json solr:latest > /tmp/solr.latest.spdx.json ... ❯ grype -q solr:latest | wc -l 96 ❯...
I believe this false positive is fixed by the switch from CPE to PURL based matching for Java ecosystems (see https://anchore.com/blog/say-goodbye-to-false-positives/). Testing: 1. Download the mentioned jars in a temp...
This sort of cross-ecosystem confusion was caused by using CPE matching for language packages, but Grype now uses PURLs to match against GHSA for supported ecosystems, including Java. You can...
Hi @tomerse-sg, if you're interested in querying grype's database more directly, you can use a sqlite client to do so. For example: ``` sh $ grype db status Location: /Users/willmurphy/Library/Caches/grype/db/5...
I still see this issue with the latest version of grype. Looks like we're still generating an incorrect PURL: ``` ❯ syft dir:xalan -o json | jq '.artifacts[0].purl' "pkg:maven/org.apache.xml/[email protected]" ❯...
I've confirmed that the PURL generation is the problem: ``` ❯ syft dir:xalan -o json | jq . > /tmp/xalan.json ❯ lvim /tmp/xalan.json ❯ jq '.artifacts[0].purl' /tmp/xalan.json "pkg:maven/xalan/[email protected]" ❯ cat...
This still happens today (adding a sha to the image to make repro steps more deterministic): ``` $ grype -q --by-cve --only-fixed -o json nginx@sha256:10d1f5b58f74683ad34eb29287e07dab1e90f10af243f151bb50aa5dbb4d62ee | jq '.ignoredMatches | length'...
@luhring I'm looking at picking up this work, but it's been a while. Is your previous comment still correct and this work still needed? Would you mind taking a look...