Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional ecosystem related v6 fixes #2450

Merged
merged 4 commits into from
Feb 18, 2025
Merged

Additional ecosystem related v6 fixes #2450

merged 4 commits into from
Feb 18, 2025

Conversation

wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Feb 15, 2025
edited
Loading

This PR makes several adjustments related to ecosystem (and related) searches based on initial v6 testing:

  • separates out name normalization rules for each DB schema. This is done by ensuring that package name resolution flows through the vx.VulnerabilityProvider with a new PackageSearchNames method on the interface.
  • adds name normalization for v6 schema (only python and java, no stock resolver)
  • reorients search.ByLanguage to be search.ByEcosystem, taking both language and package type. This allows v5 to continue using language as the primary way to search while allowing v6 to move towards searching by package type (which is what the DB v6 schema ecosystem column orients around)
  • removes duplicate ecosystem alias mappings (jenkins plugins and github actions workflows, both which already have existing mappings)
  • adds package types explicitly to the v6 helper function MimicV5Namespace
  • no longer requires VulnerabilityHandle to already exist on vuln reference objects when using fetching VulnerabilityMetadata via the VulnerabilityProvider. Not all uses of this function have already populated internal instances (such as with related vulnerabilities within the nvd namespace). This now optionally uses GetVulnerabilities on the VulnerabilityStore in such cases.
  • Adds a vulnerability id + provider composite index on the VulnerabilityHandles table, speeding up VulnerabilityMetadata calls a lot.
  • Adds missing OS specifier override for chainguard (making it a "rolling" type)
  • only non-rejected vulnerabilities are now considered from any vulnerability provider during matching

@wagoodman wagoodman added the changelog-ignore Don't include this issue in the release changelog label Feb 15, 2025
@wagoodman wagoodman force-pushed the v6-name-normalization branch from 915b089 to f23bd19 Compare February 15, 2025 05:27
@wagoodman wagoodman marked this pull request as ready for review February 15, 2025 13:20
@wagoodman
separate name normalization per schema
0b34398 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman force-pushed the v6-name-normalization branch from f23bd19 to 0b34398 Compare February 15, 2025 16:20
@wagoodman
fix chainguard search + remove withdrawn vulns
4fcda5f 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
remove lowercasing during name normalization
6a65e60 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
make debugging easier by exposing local var
3b1acdf 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
kzantow
kzantow approved these changes Feb 18, 2025
View reviewed changes
grype/db/v6/name/java.go
"github.com/anchore/packageurl-go"
)

type JavaResolver struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer this to somehow be in the Java matcher, by adding logic in different places like this it becomes harder to figure out what's actually going on during the matching process. It's my feeling that the matchers should be very much representative of the entire process of taking data from a package and mapping it to criteria used to search.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, this is probably going to be a grype v1 refactor, but this at least gets matching functional again for v6

@wagoodman wagoodman merged commit b20c4d9 into main Feb 18, 2025
10 checks passed
@wagoodman wagoodman deleted the v6-name-normalization branch February 18, 2025 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
changelog-ignore Don't include this issue in the release changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wagoodman @kzantow