Closed lioneloh closed 3 months ago
Thanks for reporting this! I'm intrigued, we haven't had many people using this particular command. Curious what your use case is if you feel like sharing :)
Thanks for the fix :) But i dont still don't know what is wrong in my command line :( I will dig further For the use case, to make it short we have several spark images (from 2.4 to 3.5) available internally with some internal dependencies and not default build parameters. I successfully build the packages needed (missing from wolfi) with melange file.
As we have specific build parameters at spark compile time, the jars list is not the same as default wolfi spark images and i was trying to automate the advisories list and secdb build. At the end our internal users would be able to have the list of vulnerabilities with a simple SBOM scan (generated by apko) before using the container image.
This is a test currently to compare the vulnerabilities footprint between wolfi based images and our current existing images.
But i dont still don't know what is wrong in my command line
Oh no! Are you still getting the same error? Or a new one?
And thanks for sharing! What you're doing sounds interesting. What are you planning on doing with the advisories list and secdbs? The secdbs are meant to be consumed by vulnerability scanners, and I'm happy to share more about that process if it's helpful.
It might also be worth mentioning that wolfictl adv discover
isn't the best way to find vulnerabilities in a package. It was mostly added as an experiment early on, but it doesn't do any kind of deeper software composition analysis to see what vulnerabilities exist in the package.
I understood what i was doing wrong. I did not read all documentation (aka code) :). The command was expecting the name of the package not the yaml file containing the melange information. Moreover there is hardcoded mapping in the code for efficient nvd search.
But you are right wolfictl adv discover
is not the best command to use. I try wolfictl adv guide
and have better result. I had to trick it because the command is expecting to be based on a short list of git remote url (hardcoded in the code as well ;)). But for the guide command it's understandable behavior, as it's here to guide user when submitting package to have the correct advisories file set up.
It would be nice to have anyway a new wolfictl adv discover
command based on grype scan (like guide) and that initialize or update an advisorie file with detection event if not already present. This command should not need any interaction to be compatible with CI/CD pipeline. It could be coupled with a new search command to list all vulnerabilities last event of a specific type on all or a subset of packages (for example search all vulnerabilities still with an event of type detection on all python packages).
What do you think ?
I could create a feature request on this point, if you think it worth it.
Description
Inside a wolfi-sdk container when running the following command
GITHUB_TOKEN=github_pat_xxxx wolfictl advisory discover -d wolfi-dir/ -a advisories-dir/ -p spark-3.4 -r https://my_package_url
I have the following error :Could you help me on this ?
For information the wolfictl version i use :
The spark-3.4.yaml package file exist and the package was successfully created.