-
Notifications
You must be signed in to change notification settings - Fork 564
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
distro: Disable support for Arch Linux #1152
Conversation
Support for Arch Linux was added without parsing the vulnerability tracker from Arch Linux, resulting in false positives. Disabled until proper coverage can be done. Example: $ grype archlinux ✔ Vulnerability DB [updated] ✔ Parsed image ✔ Cataloged packages [113 packages] ✔ Scanned image [5 vulnerabilities] NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY gnupg 2.2.40-1 alpm CVE-2022-34903 Medium gnupg 2.2.40-1 alpm CVE-2022-3515 Critical libarchive 3.6.2-2 alpm CVE-2022-36227 Critical zlib 1:1.2.13-2 alpm CVE-2018-25032 High zlib 1:1.2.13-2 alpm CVE-2022-37434 Critical Where CVE-2022-37434 is fixed by zlib version 1:1.2.12-3. archlinux/svntogit-packages@842507f Signed-off-by: Morten Linderud <[email protected]>
8f57153
to
3873399
Compare
Hi @Foxboron I noticed there's a failing test, I have a fix for it -- do you mind if I push a commit to your branch? |
@kzantow Sure, feel free to push to the branch :) |
Signed-off-by: Keith Zantow <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍 -- we definitely want to revisit this as soon as we can consume the Arch fix data!
@kzantow Thanks for the quick merge! |
@Foxboron thanks for bringing this to our attention! I'll try to get a release out today, too. 👍 |
Support for Arch Linux was added without parsing the vulnerability tracker from Arch Linux, resulting in false positives.
Disabled until proper coverage can be done.
Example:
Where CVE-2022-37434 is fixed by zlib version 1:1.2.12-3.
archlinux/svntogit-packages@842507f