-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhance SLES provider to pull in oval data on unfixed packages #626
Comments
This would be a big help. Concretely, it would allow us to add SLES here |
hi, Marcus from SUSE Security here. First, switching to the -affected feed will not remove the false positives I think. The SUSE OVAL feed currently used in vunnel also declares "not affectedness" by emitting a PACKAGE == 0 OVAL relation. You are however right. If you switch to the -affected flavor, it would be comprehensive coverage of all distro packages. |
Adding sles to the comprehensive distros list in https://github.com/anchore/grype/blob/ef376037510cdb507af3567846ed1127f471255c/grype/pkg/package.go#L179-L184 should remove the false positives, but before we can do that we need to consume the comprehensive feed. Once sles is in that list grype will for instance filter GHSA matches for components that are owned by a sles rpm package |
Eventually we want to implement anchore/grype#1426 in grype which would allow deselecting matches even for non-comprehensive data sources, but we have to finish some other rather large tasks (most importantly, the in-progress work for v6 of the grype-db schema) before we can accomodate that |
…affected + unfixed" See https://www.suse.com/support/security/oval/ for anchore#626 Signed-off-by: Marcus Meissner <[email protected]>
What would you like to be added:
The SLES provider should be enhanced to pull in the OVAL data stating that a package is affected but not fixed
Why is this needed:
This would allow making SLES a comprehensive distro in grype and would eliminate a large number of false positives
The text was updated successfully, but these errors were encountered: