Open westonsteimel opened 1 year ago
willmurphyscode
commented
11 months ago @westonsteimel how would overriding the severity at a per-package level here help if grype db schema v5 can only have one severity per (VulnID, Namespace) tuple? Or is the ask here just to make the severity-per-package available to grype-db, and then grype-db can fix its own schema later?
westonsteimel
commented
11 months ago Or is the ask here just to make the severity-per-package available to grype-db, and then grype-db can fix its own schema later?
Yes
westonsteimel
commented
11 months ago I think adding a column to the vulnerability table in the current grype-db schema could be done without a breaking change, so we should get vunnel supporting it first and then update grype-db when we're ready to consume it
TimBrown1611
commented
2 months ago what do you thing adding EOL based on - https://endoflife.date/ currently i do not see any "offline" source which syncs this data (xeol doesn't seem maintained)
willmurphyscode
commented
1 month ago @wagoodman / @westonsteimel do we need to do anything here for the grype schema v6 work? Should we take advantage of the grype schema change to implement anything here?
The original vunnel schemas were very heavily influenced by the existing results format from Anchore Enterprise since we were trying to rip that out with as little disruption as possible. Now we would like to begin evaluating what a future iteration of these schemas could look like.
FixedInentries but rather actual constraints. This way each provider can tailor the constraint creation logic to its needs, and grype-db does not have to figure out how to interpret multipleFixedInentries.