Skip to content

feat: enhanced OSV transformer#3252

Closed
willmurphyscode wants to merge 9 commits into
mainfrom
feat-osv-fixes-etc
Closed

feat: enhanced OSV transformer#3252
willmurphyscode wants to merge 9 commits into
mainfrom
feat-osv-fixes-etc

Conversation

@willmurphyscode

Copy link
Copy Markdown
Contributor

There have been a couple of vunnel PRs that are held up by the lack of generality in the OSV schema (which was originally written to handle Bitnami data specifically and then lightly patched to handle AlmaLinux data.)

Generalize the transformer so that the following PRs can be tested and merged:

The plan here is to get all of those PRs green and having quality gates (aside from the static analysis failing because they depend on a grype branch) and then merge this, and then merge them.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
And add an r matcher

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
@willmurphyscode willmurphyscode marked this pull request as ready for review March 26, 2026 11:56
@willmurphyscode willmurphyscode marked this pull request as draft May 13, 2026 14:09
orizerah added a commit to orizerah/vunnel that referenced this pull request May 18, 2026
Set database_specific.anchore.record_type = "advisory" on every record so
grype-db's OSV transformer (anchore/grype#3252) routes the affected ranges
into UnaffectedPackageHandle rather than the affected store. Echo ships
patched builds of upstream PyPI/npm packages; treating those ranges as
"X is vulnerable" would false-positive every non-Echo consumer.

Also merge OSV 1.7 `upstream` into `aliases` (deduped) so cross-source
CVE/GHSA bridging works at scan time -- the transformer reads aliases but
not upstream, and without that bridge grype can't link an ECHO-* unaffected
record to a GHSA/NVD match on the same package.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
orizerah added a commit to orizerah/vunnel that referenced this pull request May 18, 2026
Set database_specific.anchore.record_type = "advisory" on every record so
grype-db's OSV transformer (anchore/grype#3252) routes the affected ranges
into UnaffectedPackageHandle rather than the affected store. Echo ships
patched builds of upstream PyPI/npm packages; treating those ranges as
"X is vulnerable" would false-positive every non-Echo consumer.

Also merge OSV 1.7 `upstream` into `aliases` (deduped) so cross-source
CVE/GHSA bridging works at scan time -- the transformer reads aliases but
not upstream, and without that bridge grype can't link an ECHO-* unaffected
record to a GHSA/NVD match on the same package.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Ori Zerah <ori.zerah@echohq.com>
@willmurphyscode

Copy link
Copy Markdown
Contributor Author

Closed in favor of #3441

@willmurphyscode willmurphyscode deleted the feat-osv-fixes-etc branch June 9, 2026 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant