search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.7k stars 569 forks source link

some non-PEP440 version constraints for GHSA python packages in grype-db #2229

Open willmurphyscode opened 6 hours ago

willmurphyscode commented 6 hours ago

Hello, I'm facing the same issue with grype 0.83.0 [0222] ERROR failed to inflate vulnerability record (by language): failed to parse constraint='>=1.7.0,<1.9.0ubuntu1.2' format='Python': unable to parse pep440 constrain phrase failed to create comparator for '&{< 1.9.0ubuntu1.2}': unable to parse

Originally posted by @de4Ru in https://github.com/anchore/grype/issues/2195#issuecomment-2450307509

edit: here's an example of the records that can't be inflated:

SELECT 
    id, namespace, version_constraint 
FROM vulnerability 
WHERE
     version_constraint like "%0ubuntu1%" and namespace like "%python%";'

against a current grype db produces:

id namespace version_constraint
GHSA-pj65-3pf6-c5q4 github:language:python >=1.7.0,<1.9.0ubuntu1.2
GHSA-rp8m-h266-53jh github:language:python >=1.7.0,<1.9.0ubuntu1.2