8000 fix: use package language to search when type is unknown by willmurphyscode · Pull Request #2610 · anchore/grype · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix: use package language to search when type is unknown #2610

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 23, 2025
Merged

fix: use package language to search when type is unknown #2610

merged 1 commit into from
Apr 23, 2025

Conversation

willmurphyscode
Copy link
Contributor

Previously, this fallback was only used when the package type was blank, but Syft will set the package type to unknown if there is no package type, causing the fallback to language never to be entered, which resulted in some incorrect matches.

Fixes #2608

@willmurphyscode
fix: use package language to search when type is unknown
f3328a1 
Previously, this fallback was only used when the package type was blank,
but Syft will set the package type to unknown if there is no package
type, causing the fallback to language never to be entered, which
resulted in some incorrect matches.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
@willmurphyscode
Copy link
Contributor Author

Re-running acceptance tests because it looks like they had a Transient Network Fault (tm) checking the latest version of Cosign.

8000
@popey
Copy link
Contributor
popey commented Apr 23, 2025

LGTM 🙏 🤷

for gryperel in v0.87 v0.88.0 v0.89.0 v0.89.1 v0.90.0 v0.91.0 pr-2610 ; do ./"$gryperel"/grype --version; export GRYPE_LOG_FILE=./grype-"$gryperel".log; ./"$gryperel"/grype  ./sample.spdx.json | egrep 'GHSA-5crp-9r3c-p9vr|GHSA-x9vc-6hfv-hg8c'; done
grype 0.87.0
 ✔ Scanned for vulnerabilities     [2 vulnerability matches]
   ├── by severity: 0 critical, 2 high, 0 medium, 0 low, 0 negligible
   └── by status:   2 fixed, 0 not-fixed, 0 ignored
[0000]  WARN attempted CPE search on Newtonsoft.Json, which has no CPEs. Consider re-running with --add-cpes-if-none
[0000]  WARN attempted CPE search on Npgsql, which has no CPEs. Consider re-running with --add-cpes-if-none
A newer version of grype is available for download: 0.91.0 (installed version is 0.87.0)
Newtonsoft.Json  12.0.3     13.0.1    UnknownPackage  GHSA-5crp-9r3c-p9vr  High
Npgsql           2.2.7      4.0.14    UnknownPackage  GHSA-x9vc-6hfv-hg8c  High
grype 0.88.0
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
A newer version of grype is available for download: 0.91.0 (installed version is 0.88.0)
grype 0.89.0
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
A newer version of grype is available for download: 0.91.0 (installed version is 0.89.0)
grype 0.89.1
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
A newer version of grype is available for download: 0.91.0 (installed version is 0.89.1)
grype 0.90.0
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
A newer version of grype is available for download: 0.91.0 (installed version is 0.90.0)
grype 0.91.0
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
grype 0.91.0-SNAPSHOT-f3328a19
 ✔ Scanned for vulnerabilities     [2 vulnerability matches]
   ├── by severity: 0 critical, 2 high, 0 medium, 0 low, 0 negligible
   └── by status:   2 fixed, 0 not-fixed, 0 ignored
Newtonsoft.Json  12.0.3     13.0.1    UnknownPackage  GHSA-5crp-9r3c-p9vr  High
Npgsql           2.2.7      4.0.14    UnknownPackage  GHSA-x9vc-6hfv-hg8c  High

@willmurphyscode willmurphyscode merged commit ee0a33c into main Apr 23, 2025
12 checks passed
@willmurphyscode willmurphyscode deleted the fix-use-language-on-unknown-package-type branch April 23, 2025 14:01
@infiniator
Copy link

Hi, is it confirmed if this PR will be in scope for the next release, and the timeline for the same?

@lazka
Copy link
lazka commented Apr 24, 2025
8000

Could this be the cause for #2618 ?

@BrewTestBot BrewTestBot mentioned this pull request Apr 24, 2025
Merged
@willmurphyscode
Copy link
Contributor Author

@lazka it might be. I will take a look. Thanks for the report!

@willmurphyscode
Copy link
Contributor Author

@infiniator

Hi, is it confirmed if this PR will be in scope for the next release, and the timeline for the same?

The grype version you want was just released today. It is https://github.com/anchore/grype/releases/tag/v0.91.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Grype stopped reporting vulnerabilities after upgrade
5 participants
@willmurphyscode @popey @infiniator @lazka @spiffcs
0