Update grype sumary.TotCveCount to add across severity types

chainguard-dev / rumble

Data collection for base image CVEs etc.

Apache License 2.0

3 stars 8 forks source link

Update grype sumary.TotCveCount to add across severity types #92

Closed jamonation closed 9 months ago

jamonation commented 11 months ago

This PR updates the summary.TotCveCount for Grype scans to sum across the different severity types, as opposed to taking the length of all matches.

For some reason the tot_cve_count in the database for Grype scans shows a much larger number than the actual sum of all matches for a given scan.

jamonation commented 11 months ago

I think I ought to compare this Grype to Trivy in BigQuery first. It looks like Trivy sums the count differently: https://github.com/chainguard-dev/rumble/blob/5329f58dac5505724e0bbfa92bc141a867c978eb/main.go#L379-L400

luhring commented 11 months ago

Have we figured out the root cause of the count difference? It'd be great to understand that to inform changes like this, IMHO

jspeed-meyers commented 11 months ago

@jamonation and @luhring: knowing the cause of the difference would be helpful. I'm glad to pair debug, @jamonation :) I have some time tomorrow afternoon.

It looks like Trivy sums the count differently:

This is expected, IIUC. trivy and grype do not share all the same categories. I believe grype has a "Negligible" category that trivy does not. But double check me :)

jspeed-meyers commented 9 months ago

Closing unless anyone wants to re-open this :)