Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance SLES provider to pull in oval data on unfixed packages #626

Open
westonsteimel opened this issue Jul 11, 2024 · 4 comments
Open
Assignees
Labels
blocked enhancement New feature or request

Comments

@westonsteimel
Copy link
Contributor

What would you like to be added:

The SLES provider should be enhanced to pull in the OVAL data stating that a package is affected but not fixed

Why is this needed:

This would allow making SLES a comprehensive distro in grype and would eliminate a large number of false positives

@westonsteimel westonsteimel added the enhancement New feature or request label Jul 11, 2024
@willmurphyscode
Copy link
Contributor

This would be a big help. Concretely, it would allow us to add SLES here

@msmeissn
Copy link

hi, Marcus from SUSE Security here.

First, switching to the -affected feed will not remove the false positives I think.

The SUSE OVAL feed currently used in vunnel also declares "not affectedness" by emitting a PACKAGE == 0 OVAL relation.

You are however right. If you switch to the -affected flavor, it would be comprehensive coverage of all distro packages.
declared by the -affected oval: fixed, unaffected and affected

@westonsteimel
Copy link
Contributor Author

westonsteimel commented Jul 19, 2024

Adding sles to the comprehensive distros list in https://github.com/anchore/grype/blob/ef376037510cdb507af3567846ed1127f471255c/grype/pkg/package.go#L179-L184 should remove the false positives, but before we can do that we need to consume the comprehensive feed. Once sles is in that list grype will for instance filter GHSA matches for components that are owned by a sles rpm package

@westonsteimel
Copy link
Contributor Author

westonsteimel commented Jul 19, 2024

Eventually we want to implement anchore/grype#1426 in grype which would allow deselecting matches even for non-comprehensive data sources, but we have to finish some other rather large tasks (most importantly, the in-progress work for v6 of the grype-db schema) before we can accomodate that

msmeissn added a commit to msmeissn/vunnel that referenced this issue Jul 19, 2024
@willmurphyscode willmurphyscode self-assigned this Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked enhancement New feature or request
Projects
Status: Stalled
Development

No branches or pull requests

3 participants