zhill
commented
2 years ago HI @danmartinj great question and thanks for reaching out! Does Kali us the debian package versioning so that debian security patch versions are the same as for Kali? if so, then our approach is to map kali to debian in so the scanner knows to use debian vuln data for Kali packages. This would be implemented in Grype first, and then pulled into this project.
The policy aspect you see is just a rule to allow users to distinguish the "no vulns" case from "no data". We don't have a way to force it to use the other data, but exposing such mappings via data/config is something we've been thinking about as it would be helpful in situations like this. But the most immediate solution is to add Kali support directly for now.
Hello,
I am trying to scan with anchore a Kali Linux Docker Image. I am using Jenkins Free Style Project with anchore plugin. Everything seems to run fine but I am not getting meaningful findings along with several warnings such as the below Warning within Jenkins run log:
Distro-specific feed data not found for distro namespace: kali:2021.3. Cannot perform CVE scan OS/distro packages","warn",false,"48e6f7d6-1765-11e8-b5f9-8b6f228548b6"]]}},"policy_data":[],"policy_name":"","whitelist_data":[],"whitelist_names":[]}From what I can tell this is expected as Kali is not in the supported OS's. However, Kali is basically just Debian stable which is supported. Is there a way I can force anchore to use Debian policy instead? I have not found any clear documentation on this yet but I assume it is possible or maybe there is a better way of doing this so I can get some real findings since I know the scanner is identifying software on that OS?
Many Thanks