8000 feat: use namespace with name for golang purl decoder by spiffcs · Pull Request #2636 · anchore/grype · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

feat: use namespace with name for golang purl decoder #2636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

feat: use namespace with name for golang purl decoder #2636

wants to merge 1 commit into from

Conversation

spiffcs
Copy link
Contributor
@spiffcs spiffcs commented May 2, 2025

Fixes #2580

Description

Currently the PURL decoder is too aggressive when constructing name for golang packages.

pkg:golang/k8s.io/ingress-nginx@v1.11.2 will use ingress-nginx as the package name. When doing a search of the v6 db this would return no results for popular vulnerabilities like GHSA-mgvx-rpfc-9mpv.

These vulnerabilities are instead stored under:

k8s.io/ingress-nginx

More complex paths also exist as names like the following

github.com/wazuh/wazuh

These commands can be used to view the related vulnerability records in grype:

[I]  grype db search GHSA-hcrc-79hj-m3qh
VULNERABILITY        PACKAGE                 ECOSYSTEM  NAMESPACE           VERSION CONSTRAINT
GHSA-hcrc-79hj-m3qh  github.com/wazuh/wazuh  go-module  github:language:go  >=4.4.0,<4.9.1
[I] grype db search GHSA-mgvx-rpfc-9mpv

VULNERABILITY        PACKAGE                             ECOSYSTEM  NAMESPACE                             VERSION CONSTRAINT
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-1.10       apk        chainguard:distro:chainguard:rolling  < 0
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-1.11       apk        chainguard:distro:chainguard:rolling  < 1.11.5-r0
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-1.12       apk        chainguard:distro:chainguard:rolling  < 1.12.1-r14
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-1.12       apk        wolfi:distro:wolfi:rolling            < 1.12.1-r14
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-fips-1.10  apk        chainguard:distro:chainguard:rolling  < 0
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-fips-1.11  apk        chainguard:distro:chainguard:rolling  < 1.11.5-r0
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-fips-1.12  apk        chainguard:distro:chainguard:rolling  < 1.12.1-r0
GHSA-mgvx-rpfc-9mpv  k8s.io/ingress-nginx                go-module  github:language:go                    <1.11.5
GHSA-mgvx-rpfc-9mpv  k8s.io/ingress-nginx                go-module  github:language:go                    >=1.12.0-beta.0,<1.12.1
[I] hal@Christophers-MacBook-Pro ~/d/grype (2580-purl-decoder-fix-golang)>

This PR updates the PURL provider to use namespace && name for the package name so searching the DB provides better results when submitting queries by PURL.

@spiffcs
feat: update namespace onto name for golang purl decoder
5843ff8 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
This was referenced May 2, 2025
Closed
Merged
8865
@spiffcs
Copy link
Contributor Author
spiffcs commented May 2, 2025

closed in favor of #2586

@spiffcs spiffcs closed this May 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

grype pkg:golang/k8s.io/ingress-nginx@v1.11.2 does not show cve
1 participant
@spiffcs
0