Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add manual vendor/product removal to fix false flags #1070

Merged
merged 2 commits into from
Dec 8, 2022
Merged

fix: add manual vendor/product removal to fix false flags #1070

merged 2 commits into from
Dec 8, 2022

Conversation

cpendery
Copy link
Contributor

📝 Description

Not a great solution, but it at least removes these false flagging events and matches the current practices of manual vendor/product additions by adding support for manual vendor/product removals

Closes #1066
Closes anchore/grype#800
Closes anchore/grype#491

cpendery
cpendery commented Jun 28, 2022
View reviewed changes
Copy link
Contributor Author

@cpendery cpendery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you think dropping the vendor is too large, I can update this to drop a specific vendor/package pairing

@cpendery cpendery marked this pull request as ready for review June 28, 2022 15:34
@cpendery cpendery changed the title fix: add manual vendor/product removal to fix false flags [WIP] fix: add manual vendor/product removal to fix false flags Jun 28, 2022
@spiffcs
Copy link
Contributor

spiffcs commented Jul 21, 2022

@westonsteimel should we even introduce this into the app layer with vulnerability_match_exclusion now being a table where anchore can start managing these at the data layer?

cc @wagoodman also for his thoughts on corrections for cpe at the app layer vs data layer

@spiffcs spiffcs merged commit 668f102 into anchore:main Dec 8, 2022
spiffcs added a commit to raboof/syft that referenced this pull request Dec 20, 2022
@spiffcs
Merge branch 'main' into prefer-known-vendor
160c7fe 
* main: (87 commits)
  feat: Add license parsing for java (anchore#1385)
  fix: cyclonedx component type for binaries (anchore#1406)
  fix: openjdk detection pattern (anchore#1415)
  bug: spdx checksum empty array; allow syft to generate SHA1 for spdx-tag-value documents (anchore#1404)
  Add NetBSD support. (anchore#1412)
  feat: add catalog delete (anchore#1377)
  docs: remove file classifier (anchore#1397)
  chore: update latest cyclonedx library (anchore#1390)
  feat: Add Java binary catalogers (anchore#1392)
  chore: Update SPDX license list to 3.19 (anchore#1389)
  fix: add manual vendor/product removal to fix false flags (anchore#1070)
  Update Stereoscope to c5ff155d72f166e2332e160a75c3ff2b8e9c7e2e (anchore#1395)
  chore: fix test busybox image sha (anchore#1393)
  fix: go version not properly identified in binary (anchore#1384)
  Update Stereoscope to 3b80d983223f6e6fc2d33b0ffa003d30268418e9 (anchore#1376)
  fix: Update node binary package name (anchore#1375)
  feat: Generic Binary Cataloger (anchore#1336)
  recover from bad parsing of golang binary (anchore#1371)
  Fix parsing of apk databases with large entries (anchore#1365)
  Update syft bootstrap tools to latest versions. (anchore#1369)
  ...
spiffcs added a commit to cpendery/syft that referenced this pull request Dec 20, 2022
@spiffcs
Merge branch 'main' into feat-mix
5828268 
* main: (189 commits)
  feat: add h1digest when scanning go.mod (anchore#1405)
  feat: Add license parsing for java (anchore#1385)
  fix: cyclonedx component type for binaries (anchore#1406)
  fix: openjdk detection pattern (anchore#1415)
  bug: spdx checksum empty array; allow syft to generate SHA1 for spdx-tag-value documents (anchore#1404)
  Add NetBSD support. (anchore#1412)
  feat: add catalog delete (anchore#1377)
  docs: remove file classifier (anchore#1397)
  chore: update latest cyclonedx library (anchore#1390)
  feat: Add Java binary catalogers (anchore#1392)
  chore: Update SPDX license list to 3.19 (anchore#1389)
  fix: add manual vendor/product removal to fix false flags (anchore#1070)
  Update Stereoscope to c5ff155d72f166e2332e160a75c3ff2b8e9c7e2e (anchore#1395)
  chore: fix test busybox image sha (anchore#1393)
  fix: go version not properly identified in binary (anchore#1384)
  Update Stereoscope to 3b80d983223f6e6fc2d33b0ffa003d30268418e9 (anchore#1376)
  fix: Update node binary package name (anchore#1375)
  feat: Generic Binary Cataloger (anchore#1336)
  recover from bad parsing of golang binary (anchore#1371)
  Fix parsing of apk databases with large entries (anchore#1365)
  ...
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@cpendery
fix: add manual vendor/product removal to fix false flags (anchore#1070)
f8e685a 
Closes anchore#1066
Closes anchore/grype#800
Closes anchore/grype#491
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
OSS
Archived in project
Milestone
No milestone
2 participants
@cpendery @spiffcs