Closed jamonation closed 9 months ago
I think I ought to compare this Grype to Trivy in BigQuery first. It looks like Trivy sums the count differently: https://github.com/chainguard-dev/rumble/blob/5329f58dac5505724e0bbfa92bc141a867c978eb/main.go#L379-L400
Have we figured out the root cause of the count difference? It'd be great to understand that to inform changes like this, IMHO
@jamonation and @luhring: knowing the cause of the difference would be helpful. I'm glad to pair debug, @jamonation :) I have some time tomorrow afternoon.
It looks like Trivy sums the count differently:
This is expected, IIUC. trivy
and grype
do not share all the same categories. I believe grype
has a "Negligible" category that trivy
does not. But double check me :)
Closing unless anyone wants to re-open this :)
This PR updates the
summary.TotCveCount
for Grype scans to sum across the different severity types, as opposed to taking the length of all matches.For some reason the
tot_cve_count
in the database for Grype scans shows a much larger number than the actual sum of all matches for a given scan.