Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use fix info from secDB in APK matcher even if NVD fix info present #2162

Merged
merged 4 commits into from
Oct 7, 2024
Merged

fix: use fix info from secDB in APK matcher even if NVD fix info present #2162

merged 4 commits into from
Oct 7, 2024

Conversation

willmurphyscode
Copy link
Contributor

@willmurphyscode willmurphyscode commented Oct 4, 2024
edited
Loading

This is to address false fixed ins in Alpine, Chainguard, or Wolfi that might be introduced by anchore/grype-db#112.

TODO

  • refactor to pass lints once approach is approved
  • add a test asserting that sec db fixes do stay in

@willmurphyscode
test: failing test for nvd vs secdb fix in alpine
7f57b42 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
fix: only accept fix info from secdb, not NVD
d0a8007 
This enables the vunnel / grype-db to pull fix info from NVD
end-of-version-range data in general without introducing spurious fixes
into sec db. (If Alpine has fixed something, it will be in sec db, so we
should ignore grype-db's attempt to infer fix info from NVD data
specifically in the APK cataloger.)

Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode willmurphyscode marked this pull request as ready for review October 4, 2024 19:05
@willmurphyscode willmurphyscode force-pushed the fix-alpine-fixed-state-only-from-secdb branch from 2a52b37 to 63cab3e Compare October 4, 2024 21:34
@willmurphyscode willmurphyscode changed the title test: failing test for nvd vs secdb fix in alpine fix: use fix info from secDB in APK matcher even if NVD fix info present Oct 5, 2024
@willmurphyscode willmurphyscode added the bug Something isn't working label Oct 5, 2024
@willmurphyscode
Copy link
Contributor Author

I hesitated over the bug label for a minute, since it's only a bug once anchore/grype-db#112 is merged, but I decided that was still the right label.

@spiffcs
Copy link
Contributor

spiffcs commented Oct 7, 2024

This is the correct fix info to surface for secdb.

@willmurphyscode I noticed that your PR also mentioned chainguard and wolfi. I have not looked at those vuln providers in a while, but it seems these changes are only for the APK matcher.

Are there more changes you're looking to make?

This does look 🟢 from the correctness of secdb fixed in is being respected over nvd for the APK matcher and the tests prove it.

@willmurphyscode
Copy link
Contributor Author

@spiffcs thanks for the question. Chainguard and Wolfi images also use APK packages, so this code change will affect them as well. They also use secDB fixes, but with different URLs (the vunnel providers are very similar). As far as I can tell, this change covers Chainguard and Wolfi images as well.

@willmurphyscode willmurphyscode merged commit c28e59f into main Oct 7, 2024
10 checks passed
@willmurphyscode willmurphyscode deleted the fix-alpine-fixed-state-only-from-secdb branch October 7, 2024 19:48
@willmurphyscode willmurphyscode mentioned this pull request Oct 7, 2024
Merged
@BrewTestBot BrewTestBot mentioned this pull request Oct 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@willmurphyscode @spiffcs