search

anchore / vunnel

Tool for collecting vulnerability data from various sources (used to build the grype database)
Apache License 2.0
63 stars 23 forks source link

fix: add alpine:3.20 to expected namespaces #584

Closed willmurphyscode closed 1 month ago

willmurphyscode commented 1 month ago

Otherwise the quality gate will keep failing.

Addresses one of the problems mentioned in https://github.com/anchore/vunnel/issues/583.

The namespace is coming up now.

Manual testing done on main:

  1. make dev provider=alpine
  2. make update-db
  3. see below
sqlite3 --header --column .cache/grype/5/vulnerability.db 'select distinct namespace from vulnerability_metadata where namespace like "%alpine%";'
namespace
-------------------------
alpine:distro:alpine:3.14
alpine:distro:alpine:3.15
alpine:distro:alpine:3.16
alpine:distro:alpine:3.17
alpine:distro:alpine:3.10
alpine:distro:alpine:3.11
alpine:distro:alpine:3.12
alpine:distro:alpine:3.13
alpine:distro:alpine:3.18
alpine:distro:alpine:3.19
alpine:distro:alpine:3.20
alpine:distro:alpine:3.8
alpine:distro:alpine:3.9
alpine:distro:alpine:edge
alpine:distro:alpine:3.6
alpine:distro:alpine:3.7
alpine:distro:alpine:3.2
alpine:distro:alpine:3.3
alpine:distro:alpine:3.4
alpine:distro:alpine:3.5
willmurphyscode commented 1 month ago

Looks like I'll need to also fix the wofli issue in this PR:

Running relative comparison... 
   Results used:
    ├── 5cadc426-434a-4bb4-a832-3f71aaa5b16b : grype[custom-db]@v0.77.4 against cgr.dev/chainguard/wolfi-base@sha256:be3834598c3c4b76ace6a866edcbbe1fa18086f9ee238b57769e4d230cd7d507
    └── 1b4d8c15-7c74-43e7-a770-b79f2045544e : grype@v0.77.4 against cgr.dev/chainguard/wolfi-base@sha256:be3834598c3c4b76ace6a866edcbbe1fa18086f9ee238b57769e4d230cd7d507

Running comparison against labels... 
   Results used:
    ├── 5cadc426-434a-4bb4-a832-3f71aaa5b16b : grype[custom-db]@v0.77.4 against cgr.dev/chainguard/wolfi-base@sha256:be3834598c3c4b76ace6a866edcbbe1fa18086f9ee238b57769e4d230cd7d507
    └── 1b4d8c15-7c74-43e7-a770-b79f2045544e : grype@v0.77.4 against cgr.dev/chainguard/wolfi-base@sha256:be3834598c3c4b76ace6a866edcbbe1fa18086f9ee238b57769e4d230cd7d507

Match differences between tooling (with labels):
   TOOL PARTITION                 PACKAGE         VULNERABILITY        LABEL      COMMENTARY
   grype[custom-db]@v0.77.4 ONLY  zlib@1.2.12-r2  GHSA-mq29-j5xf-cjwr  (unknown)

I think we need to label GHSA-mq29-j5xf-cjwr for cgr.dev/chainguard/wolfi-base@sha256:be3834598c3c4b76ace6a866edcbbe1fa18086f9ee238b57769e4d230cd7d507