Today we have a function that checks if the distro package in question is from a "comprehensive feed", such that is can be used to deduplicate matches from non-distro sources (such as pypi).
To be able to add SUSE to the list of distros that are considered comprehensive (thus we can deduplicate the matches for), we need to enhance the vunnel provider. Today we parse the patch information but additionally need to parse the -affected files such there is a hope to find matches for entries that have no fixes upstream.
I'm writing this issue here so that, when the vunnel enhancement lands, we can add a specific test for it here in grype.
Today we have a function that checks if the distro package in question is from a "comprehensive feed", such that is can be used to deduplicate matches from non-distro sources (such as pypi).
https://github.com/anchore/grype/blob/e5b341b87a9548773dabdc0cb41db1a2a58ff92d/grype/pkg/package.go#L152-L174
SUSE is not on this list which is leading to multiple false positives:
To be able to add SUSE to the list of distros that are considered comprehensive (thus we can deduplicate the matches for), we need to enhance the vunnel provider. Today we parse the patch information but additionally need to parse the
-affected
files such there is a hope to find matches for entries that have no fixes upstream.I'm writing this issue here so that, when the vunnel enhancement lands, we can add a specific test for it here in grype.