WARN unable to extract GHSA java package information from purl="pkg:maven/": name is required

[gireesh-kumar]

Hi

We are seeing below WARN messages continuously reporting when running grype:

[0010]  WARN unable to extract GHSA java package information from purl="pkg:maven/": name is required

            WARN matcher failed for pkg=Pkg(type=deb, name=zlib1g-dev, version=1:1.2.11.dfsg-2ubuntu4, upstreams=1): failed to match by source indirection: failed to find vulnerabilities for dpkg upstream source package: unable to filter distro-related vulnerabilities: failed to check constraint="< 0:1.2.11-18.el8_5 (rpm)" version="1:1.2.11.dfsg-2ubuntu4 (Deb)": (rpm) unsupported format: Deb 

What does these errors means?

What is the impact of ignoring these messages?

Is there something we can do to avoid / fix such warnings?

Environment: Application: grype Version: 0.38.0 Syft Version: v0.46.2 BuildDate: 2022-05-23T14:41:50Z GitCommit: 06d28dad9f7e7d9aa65fc16d45c6ce785826664c GitDescription: v0.38.0 Platform: linux/amd64 GoVersion: go1.18.2 Compiler: gc Supported DB Schema: 3

OS: Red Hat Enterprise Linux Server release 7.9 (Maipo)

Note: we are running the container images as well from the host.

[wagoodman]

Hey is this issue still happening?

Also we don't quite have enough information to figure what's happening here... do you have an container image or other asset that we can scan directly? It looks like you found a deb on a redhat system, which is one oddity. Another oddity is the java package without a name. We are working on getting Syft to fully comply with the minimum NTIA requirements for an SBOM, and this hints at being able to filter non compliant packages in grype before attempting to match.

We probably should add a section to the grype report about packages that were not considered (something that is not done today / there is no place in the report for).