anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.87k stars 574 forks source link

Should only check maven central if pom info is missing #2216

Open wagoodman opened 3 weeks ago

wagoodman commented 3 weeks ago

Today when you enable searching for artifact and group ID from maven central with a sha1 then this is done for all java artifacts, not just ones missing artifact and group ID https://github.com/anchore/grype/blob/9b7d752a7901bdd54f5bbda1b19028d571fa3a4f/grype/matcher/java/matcher.go#L79-L83 . This condition should be tightened -- instead of always searching, we should only search if there is missing pom data.

kzantow commented 3 weeks ago

Should we move this functionality to Syft, as part of the family of --enrichments? Looking up package info via archive hash seems like something that would benefit both tools.

wagoodman commented 3 weeks ago

I think we should do this in both places, since there are multiple avenues. That is, agreed, this should be in syft as an opt in enrichment option. But in case you're using an non-syft SBOM or otherwise different input source with grype then we should still allow for looking up this information.

kzantow commented 3 weeks ago

This seems like one of the things that could be done strictly during an "enhancement" phase in Syft, which Grype also runs. In other words:

First, Syft scans, finds JAR files, attempts to identify using bytes available, surfaces packages with all info including SHA-1 hashes for JARs -- OR -- Syft imports an SBOM into the internal Syft data model

Then, Syft passes found packages to enhancement

This would have to happen before compliance rules are applied.

I think this would allow Grype to essentially operate the same as it does today and allow Syft to get the benefit of updating the certain incomplete Java records.