willmurphyscode
commented
2 months ago For the last item, updating grype to be able to search by these new records, we're starting to think about that pretty early, because to write a correct namespace we need to know how grype should search.
@wagoodman do you think this is a good time to add a ByPURL search function, and emit the namespace bitnami:purl? If it's not time to add a new search type, which search type should these be added to?
The existing search.By* things are ByPackageLanguage, ByPackageDistro, and ByPackageCPE. Bitnami's data doesn't seem to fit well in any of those buckets, and I think searching by PURL directly is a capability we want anyway.
Bitnami is providing vulnerability matching data for their contianers, which have embedded SPDX documents outlining the contained components: https://github.com/bitnami/vulndb . This could be leveraged in order to improve matching in grype for those components.
This involves at least the following tasks:
/opt/bitnami/*locations (I think this should already work, but have not verified). anchore/syft#3065Matcherobject, but most likely enhance the genericsearch.*functions to look for bitnami specific material and additionally search those namespaces. This might mean that we need to update the namespace logic to determine whether to include the additional bitnami namespaces (haven't thought through this entirely yet).