distro: Disable support for Arch Linux #1152

Foxboron · 2023-03-02T14:16:43Z

Support for Arch Linux was added without parsing the vulnerability tracker from Arch Linux, resulting in false positives.

Disabled until proper coverage can be done.

Example:

 $ grype archlinux
 ✔ Vulnerability DB        [updated]
 ✔ Parsed image
 ✔ Cataloged packages      [113 packages]
 ✔ Scanned image           [5 vulnerabilities]
NAME        INSTALLED   FIXED-IN  TYPE  VULNERABILITY   SEVERITY
gnupg       2.2.40-1              alpm  CVE-2022-34903  Medium
gnupg       2.2.40-1              alpm  CVE-2022-3515   Critical
libarchive  3.6.2-2               alpm  CVE-2022-36227  Critical
zlib        1:1.2.13-2            alpm  CVE-2018-25032  High
zlib        1:1.2.13-2            alpm  CVE-2022-37434  Critical

Where CVE-2022-37434 is fixed by zlib version 1:1.2.12-3.

archlinux/svntogit-packages@842507f

Support for Arch Linux was added without parsing the vulnerability tracker from Arch Linux, resulting in false positives. Disabled until proper coverage can be done. Example: $ grype archlinux ✔ Vulnerability DB [updated] ✔ Parsed image ✔ Cataloged packages [113 packages] ✔ Scanned image [5 vulnerabilities] NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY gnupg 2.2.40-1 alpm CVE-2022-34903 Medium gnupg 2.2.40-1 alpm CVE-2022-3515 Critical libarchive 3.6.2-2 alpm CVE-2022-36227 Critical zlib 1:1.2.13-2 alpm CVE-2018-25032 High zlib 1:1.2.13-2 alpm CVE-2022-37434 Critical Where CVE-2022-37434 is fixed by zlib version 1:1.2.12-3. archlinux/svntogit-packages@842507f Signed-off-by: Morten Linderud <[email protected]>

kzantow · 2023-03-02T15:09:20Z

Hi @Foxboron I noticed there's a failing test, I have a fix for it -- do you mind if I push a commit to your branch?

Foxboron · 2023-03-02T15:10:42Z

@kzantow Sure, feel free to push to the branch :)

Signed-off-by: Keith Zantow <[email protected]>

kzantow

LGTM 👍 -- we definitely want to revisit this as soon as we can consume the Arch fix data!

Foxboron · 2023-03-02T15:27:34Z

@kzantow Thanks for the quick merge!

kzantow · 2023-03-02T15:30:55Z

@Foxboron thanks for bringing this to our attention! I'll try to get a release out today, too. 👍

* main: chore: bump quality gate labels and syft version (#1156) chore: Update Syft to v0.74.0 (#1151) fix(distro): Disable support for Arch Linux (#1152) chore: update progress monitor handling (#1149)

Foxboron force-pushed the morten/disable-archlinux branch from 8f57153 to 3873399 Compare March 2, 2023 14:17

chore: add nil check

0d3ddb1

Signed-off-by: Keith Zantow <[email protected]>

kzantow approved these changes Mar 2, 2023

View reviewed changes

kzantow merged commit bb92f44 into anchore:main Mar 2, 2023

kzantow mentioned this pull request Jun 22, 2023

False positive for libskba/gnupg with CVE-2022-3515 #1338

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

distro: Disable support for Arch Linux #1152

distro: Disable support for Arch Linux #1152

Foxboron commented Mar 2, 2023 •

edited

Loading

kzantow commented Mar 2, 2023

Foxboron commented Mar 2, 2023

kzantow left a comment

Foxboron commented Mar 2, 2023

kzantow commented Mar 2, 2023

distro: Disable support for Arch Linux #1152

distro: Disable support for Arch Linux #1152

Conversation

Foxboron commented Mar 2, 2023 • edited Loading

kzantow commented Mar 2, 2023

Foxboron commented Mar 2, 2023

kzantow left a comment

Choose a reason for hiding this comment

Foxboron commented Mar 2, 2023

kzantow commented Mar 2, 2023

Foxboron commented Mar 2, 2023 •

edited

Loading