willmurphyscode
commented
1 month ago This would be a big help. Concretely, it would allow us to add SLES here
Open westonsteimel opened 1 month ago
willmurphyscode
commented
1 month ago This would be a big help. Concretely, it would allow us to add SLES here
msmeissn
commented
1 month ago hi, Marcus from SUSE Security here.
First, switching to the -affected feed will not remove the false positives I think.
The SUSE OVAL feed currently used in vunnel also declares "not affectedness" by emitting a PACKAGE == 0 OVAL relation.
You are however right. If you switch to the -affected flavor, it would be comprehensive coverage of all distro packages. declared by the -affected oval: fixed, unaffected and affected
westonsteimel
commented
1 month ago Adding sles to the comprehensive distros list in https://github.com/anchore/grype/blob/ef376037510cdb507af3567846ed1127f471255c/grype/pkg/package.go#L179-L184 should remove the false positives, but before we can do that we need to consume the comprehensive feed. Once sles is in that list grype will for instance filter GHSA matches for components that are owned by a sles rpm package
westonsteimel
commented
1 month ago Eventually we want to implement https://github.com/anchore/grype/issues/1426 in grype which would allow deselecting matches even for non-comprehensive data sources, but we have to finish some other rather large tasks (most importantly, the in-progress work for v6 of the grype-db schema) before we can accomodate that
What would you like to be added:
The SLES provider should be enhanced to pull in the OVAL data stating that a package is affected but not fixed
Why is this needed:
This would allow making SLES a comprehensive distro in grype and would eliminate a large number of false positives