-
**Describe the bug**
Some vulnerabilities in OSV do not mention alias whereas the source link has alias data.
**To Reproduce**
https://vuln.go.dev/ID/GO-2024-2947.json mentions two aliases wherea…
-
https://github.com/chainguard-dev/apko (disclaimer: a project of my employer, though it's OSS under Apache 2.0) seems like a good fit for this project.
There's also a related tool, https://github.c…
-
**What happened**:
I ran a feed service sync on Anchore Enterprise that uses vunnel to download provider vulnerability data.
This was run with my internet **disabled** to see if each provider would …
-
see https://github.com/chainguard-dev/apko/pull/1011
-
This is a tracking image where I'm looking at how I'd be able to run this with as-lightweight-as-possible a Docker image.
Related: #32
## Chainguard static image
```dockerfile
FROM cgr.dev/…
-
**Description of the false positive**
If a `URI` or `URL` is created from a `File` it isn't a valid source of SSRF. This is because, AFAIK, opening a stream from a file will never create a socket r…
-
When running this command:
```
docker run --privileged --rm -v "${PWD}":/work \
cgr.dev/chainguard/melange build package.yaml \
--arch amd64, aarch64 \
--signing-key melange.rs…
-
**Description of the false positive**
When `IO.read` is guarded by a check like `File.exists?`, isn't that a valid guard against injecting the `|` character into `Kernel.open`? I don't imagine that…
-
**What would you like to be added**:
Rebase `registry` image to distroless or provide registry image variant `registry:-distroless` with distroless as a base image.
**Why is this needed**:
The mo…
-
Iron Bank supports ARM64 images now.