feat: populate package architecture for matching#3504
Conversation
|
|
||
| func purlEnhancers(applyChannel func(*distro.Distro) bool) []Enhancer { | ||
| return []Enhancer{setUpstreamsFromPURL, setDistroFromPURL(applyChannel)} | ||
| return []Enhancer{setUpstreamsFromPURL, setArchFromPURL, setDistroFromPURL(applyChannel)} |
There was a problem hiding this comment.
From @wagoodman this should be added to types where it matters as well, like
grype/grype/pkg/rpm_metadata.go
Line 3 in f54a905
| return d | ||
| } | ||
|
|
||
| func setArchFromPURL(out *Package, purl packageurl.PackageURL, _ syftPkg.Package) { |
There was a problem hiding this comment.
Additionally, we should set this in metadata things: https://github.com/anchore/grype/blob/main/grype/pkg/apk_metadata.go#L12 for example written to here (and analogous changes for the RPM stuff.)
We might not need a PURL enhancer if we do it that way.
There was a problem hiding this comment.
Might be worth setting arch in here: https://github.com/anchore/syft/blob/main/syft/format/internal/backfill.go#L37 - otherwise we do need the enhancer in grype.
Enable matchers to filter on architecture-specific vulnerabilities or fixes. There are basically three changes here: First, wire up the package collection creator to populate architecture on the packages when an image is scanned or an sbom is loaded in Grype. Second, wire up the architecture package qualifier so that if a vulnerability or fix specifies that it is only applicable to a particular architecture, the matchers will respect this, and third, in the RPM matcher, specify `arch=src` when synthesizing the upstream package to search by (rather than letting it inherit the binary package's architecture). The qualifier logic is like this: If either the package or the DB record has a blank architecture, the filtering is a noop. If the package has a specific architecture and the DB record has 'src', the package is qualified, because a disclosure or fix in a src RPM for example is assumed to affect things built from it. If the DB record and the package both have specific binary architectures, but they don't match, e.g. x86_64 != aarch64, the package is not qualified and filters out. Architecture qualifiers are canonicalized at match time so, for example, an RPM that has x86_64 architecture is a qualified package on a vuln that affects "amd64" processors (assuming distro and everything else line up). This canonicalization is probably more important for future expansion since a given distro will probably use the same architecture strings as their own package manager. Hummingbird also has a special "binary-no-arch-specified" architecture that means, "this is not a src RPM". That is so that in Hummingbird data, if we have a package that says, 'upstream=glibc' in its PURL, and we have a glibc vuln against the binary but not the src RPM, we can fitler out this false positive. If a DB record has 'binary-no-arch-specified' as its architecture, any package that has any non-src architecture (or a blank architecture) is qualified, but src architecture is not. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
OracleLinux had some existing false positives where the x86_64 package was fixed in an earlier version of the RPM than the aarch64 version, resulting in false positives when Grype checked against the aarch64 version. Add a dbtest for this scenario and update the RPM matcher and OS transformer to fix this case. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2120cc6 to
b70b46f
Compare
| // defaultAliases maps each non-canonical architecture spelling to its canonical token. The | ||
| // canonical token is arbitrary (we use the Go/OCI spelling); only equivalence matters, so a | ||
| // canonical spelling (e.g. "amd64") is intentionally absent and resolves to itself. | ||
| var defaultAliases = map[string]string{ |
There was a problem hiding this comment.
Does "all" : "noarch" belong in here?
| search.ByPackageName(upstreamPkg.Name), | ||
| search.ByDistro(rhelCompatibleDistro), | ||
| internal.OnlyQualifiedPackages(upstreamPkg), | ||
| internal.SourceOrUnspecifiedArch(), |
There was a problem hiding this comment.
I thought this helper was used only in hummingbird. Why the alma diff?
|
|
||
| for _, indirectPackage := range pkg.UpstreamPackages(p) { | ||
| indirectMatches, ignores, err := m.findMatches(provider, indirectPackage, internal.SourceOrUnspecifiedArch()) | ||
| // An rpm's upstream is its source rpm, so tag the synthesized package "src". The |
There was a problem hiding this comment.
Clean up this comment as this is now done in the helper.
| // entry matches any binary package but rejects the rpm matcher's synthesized "src" upstream, | ||
| // so providers that disclose at binary granularity (e.g. hummingbird CSAF VEX) avoid | ||
| // FP-matching unrelated sibling binaries built from the same source. | ||
| Architecture *string `json:"architecture,omitempty"` |
There was a problem hiding this comment.
This already shipped as a string, but maybe missed opportunity to do a Set[string] so that we could check "intersection of package arch with vuln arch is not empty" instead of equality.
| var defaultAliases = map[string]string{ | ||
| "x86_64": "amd64", | ||
| "x64": "amd64", | ||
| "aarch64": "arm64", |
There was a problem hiding this comment.
What about like arm64/v8? That's a thing that can be passed to --platform on docker CLI for example.
Also "architecture" and "platform" are not exactly this same thing and this conflates them?
| // fold to "amd64"). The architecture qualifier reads this table at match time so cross-dialect | ||
| // arch comparisons don't drop real matches; the data lives in the DB rather than the grype | ||
| // binary so the folding can change without a release. See pkg/qualifier/architecture. | ||
| type ArchitectureAlias struct { |
There was a problem hiding this comment.
Is this complete? Do we need an "is platform independent" bool column or something? Right now the source code knows that noarch and all mean "this thing applies across all architectures" but the database doesn't?
We think that this case be added later if need be, and that it is probably not necessary.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
| } | ||
| tmp.CPEs = updatedCPEs | ||
|
|
||
| setSrcArchOnUpstream(&tmp) |
There was a problem hiding this comment.
This overrides any architectures that could be explicitly provided. I see that this is intentional, but does this consider that there might be instances where the vuln data is more specific than src? (say with hummingbird) .... there is a good chance this is a non-issue
There was a problem hiding this comment.
Well actually, doesn't oracle provider per-binary-per-arch NERVA's?
There was a problem hiding this comment.
So the idea here is that the upstream package is always a source RPM. This actually fixes false positives in Hummingbird and is an intentional and necessary part of this PR.
Consider this scan:
syft -q -o json quay.io/hummingbird/postgresql:latest@sha256:6eefb14bced346a8583011f84dd71de8249af74c060369be6ad73891b2a768f0 | jq '.artifacts[] | .purl' | rg glibc
which produces:
"pkg:rpm/redhat/glibc@2.42-10.1.hum1?arch=aarch64&distro=hummingbird-20251124&upstream=glibc-2.42-10.1.hum1.src.rpm"
"pkg:rpm/redhat/glibc-common@2.42-10.1.hum1?arch=aarch64&distro=hummingbird-20251124&upstream=glibc-2.42-10.1.hum1.src.rpm"
"pkg:rpm/redhat/glibc-langpack-en@2.42-10.1.hum1?arch=aarch64&distro=hummingbird-20251124&upstream=glibc-2.42-10.1.hum1.src.rpm"
And this CSAF VEX:
"product_status": {
"fixed": [
"hummingbird-1:glibc-0:2.42-12.hum1", // binary rpm
"hummingbird-1:glibc-0:2.42-12.hum1.src", // src rpm, removed intentionally in datat processing
...In this case, glibc-langpack-en has the upstream glibc, and the binary glibc is vulnerable. However, before this change, glibc-langpack-en could be reported as vulnerable because its upstream has the same name as a vulnerable binary. However, that would be considered an FP. This is a change to allow us to consider upstream matching still, but only if the upstream package is a src rpm, so that marking a binary rpm that has the same name as a bunch of source rpm's upstream (like glibc) doesn't produce a wave of FPs.
There was a problem hiding this comment.
Well actually, doesn't oracle provider per-binary-per-arch NERVA's?
I don't think anyone has architecture on their src RPMs, and upstream will always be a src rpm? But I confess I don't completely understand the comment.
There was a problem hiding this comment.
@wagoodman I don't think this matters on oracle. the OVAL files seem to list every binary RPM anyway, and I don't think the notion of a non src upstream makes sense. This only sets arch on upstreams.
| // defaultAliases maps each non-canonical architecture spelling to its canonical token. The | ||
| // canonical token is arbitrary (we use the Go/OCI spelling); only equivalence matters, so a | ||
| // canonical spelling (e.g. "amd64") is intentionally absent and resolves to itself. | ||
| var defaultAliases = map[string]string{ |
There was a problem hiding this comment.
just want to state clearly but this isn't a comment to address, but instead a specific feature designed in: the DB is authoritative over clients, so newer clients that have old DBs might run into issues, but in these cases we expect folks to update their dbs. This is a nice feature of using the DB since DBs ship nightly instead of needing to upgrade the client.
| // pkg/qualifier/architecture to match a package against the architecture a vulnerability | ||
| // entry applies to. Cross-dialect aliases (amd64↔x86_64, ...) are reconciled there, so | ||
| // this is intentionally a raw string rather than an enum. | ||
| Arch string `json:"architecture" cyclonedx:"architecture"` |
There was a problem hiding this comment.
nit, this could have omitempty
* give install script uploader contents: read (anchore#3489) Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Govulndb OSV transformer (anchore#3485) * govulndb osv Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * add fixed dates to govulndb osv transformer Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * enforce lowercase ids on cache Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore(deps): update tool versions (anchore#3488) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * chore(deps): update quality gate database (anchore#3478) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * feat(scan): add support for a Zarf scan target (anchore#3366) Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com> * fix: respect withdrawn status of Go Vuln DB OSV records (anchore#3495) Otherwise we get false positives. Includes a matcher test to assert that Grype does not find withdrawn go vulns. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore(deps): update anchore dependencies (anchore#3487) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * test: add test fixtures for multi RHSA records from vunnel (anchore#3480) Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix: avoid panic on invalid RHEL version IDs (anchore#3490) Signed-off-by: Jeremy Spilman <jeremy.spilman@anchore.com> * chore(deps): bump the actions-minor-patch group across 2 directories with 7 updates (anchore#3503) Bumps the actions-minor-patch group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `6.0.3` | | [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.36.0` | `4.36.2` | Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [anchore/go-make](https://github.com/anchore/go-make). Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `github/codeql-action` from 4.36.0 to 4.36.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@7211b7c...8aad20d) Updates `anchore/go-make` from 0.5.0 to 0.6.0 - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](anchore/go-make@9de27be...39fe5f7) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/codeql.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-gate.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: github/codeql-action dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/go-make dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * exclude linux-kbuild deb indirect matches by default (anchore#3506) Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk> * Add OSV Model generator (anchore#3499) * Add OSV Model generator Previously, there was an OSV scanner repository that exported a models.Vulnerability struct we could use. That repository deprecated their exported models and the models in grype are falling behind. Therefore, add a generator target that generates our own models based on the latest v1 JSON scehma from the official OSV spec repository. In this way automation can PR new models in. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * less coupled generator Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * parse severity as singular and drop entry type Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Remove v1 from file names If we need a v2 model, we should have a package with v2 in the path so that both can be imported. v1 in a filename is just noise. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> * chore(deps): bump github.com/anchore/go-make (anchore#3502) Bumps the go-minor-patch group with 1 update in the /.make directory: [github.com/anchore/go-make](https://github.com/anchore/go-make). Updates `github.com/anchore/go-make` from 0.5.0 to 0.6.0 - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](anchore/go-make@v0.5.0...v0.6.0) --- updated-dependencies: - dependency-name: github.com/anchore/go-make dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(go-vulndb): merge in custom ranges when applicable (anchore#3514) * fix(go-vulndb): merge in custom ranges when applicable Go OSV data has the standard OSV ranges, but also has custom ranges. Packages that do non-standard go versioning, for example by pushing a tag that starts with v2.x.y but not adding a /v2 in their module path, get relegated to the custom ranges field. In other words, there is one affected range for "strictly go versioning compliant versions" and another set of ranges for "version control tags that are not perfectly compliant". Previously, Grype just ignore this second bucket of version ranges, resulting in a meaningful number of false positives. Fix this by, if custom ranges are present, stripping out unbounded (e.g. > 0) ranges from the regular ranges and then unioning the two range sets. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * cleanup: avoid double parsing ranges, clean up comments Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix up go vuln db transformer Includes using mapstructure to deserialize custom fields, and some readability refactors. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix: disable go stdlib CPE matching by default. (anchore#3517) Previously, because GHSA does not cover the go stdlib, in order to avoid false negatives on the go stdlib, CPE matching had to be used. However, grype now includes the Go Vuln DB data it its database, which does include the stdlib as if a regular go module, so this CPE fallback can be disabled by default, fixing many false positives. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore(deps): bump the go-minor-patch group across 1 directory with 2 updates (anchore#3518) Bumps the go-minor-patch group with 2 updates in the / directory: [golang.org/x/text](https://github.com/golang/text) and [golang.org/x/tools](https://github.com/golang/tools). Updates `golang.org/x/text` from 0.37.0 to 0.38.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.37.0...v0.38.0) Updates `golang.org/x/tools` from 0.45.0 to 0.46.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.45.0...v0.46.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-version: 0.38.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: golang.org/x/tools dependency-version: 0.46.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(hummingbird): mark hummingbird distro as rolling (anchore#3521) Previous hummingbird work incorrectly marked only the search side (data.go) as having a rolling label. Therefore also mark hummingbird as a rolling distro at database creation time. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * refactor release pipeline: TAG_TOKEN, skip-checks gate, go-make bump, dependabot/zizmor/gci cleanup (anchore#3524) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * chore(deps): bump github.com/containerd/containerd/v2 (anchore#3525) Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](containerd/containerd@v2.3.1...v2.3.2) --- updated-dependencies: - dependency-name: github.com/containerd/containerd/v2 dependency-version: 2.3.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(govulndb): mix floors from custom ranges as appropriate (anchore#3522) Previously, lower and upper bounds on vulnerable windows would be ORed together if part of the range was reported in osv standard affected events and the other part was reported in OSV ecosystem-specific custom_ranges events. Fix the merge logic so that floors from the custom ranges have the correct effect. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix(govulndb): only emit records for stdlib (anchore#3527) * fix(govulndb): only emit records for stdlib For third party go packages, go vuln db has some very strange version ranges, and this has caused a number of false positive reports. Additionally, for most of them, Grype currently reports both a GHSA and a GO record, resulting in user confusion. However, there is one key class of record available in the go vuln db that is not in GHSA: records affecting the go stdlib itself (that is, the core parts of the langage that are statically linked into every go binary). Therefore, for now, emit only records relating to the go stdlib. Future enhancements can pull in additional data related to third party go packages in go vuln db. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Clean up some additional test fixtures Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Update go-make to v0.8.0 (anchore#3528) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * chore(units): account for changes in Syft and fix stale listing file (anchore#3532) Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * feat(govulndb): emit golang.org/x/net vulns from govlundb (anchore#3534) These packages are not covered by GHSA and generally have well-formed versions, so emit them. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore(deps): update anchore dependencies (anchore#3498) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 (anchore#3535) Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3 to 7.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@df4cb1c...9c091bb) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update quality gate database (anchore#3543) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * feat: populate package architecture for matching (anchore#3504) * feat: populate package architecture for matching Enable matchers to filter on architecture-specific vulnerabilities or fixes. There are basically three changes here: First, wire up the package collection creator to populate architecture on the packages when an image is scanned or an sbom is loaded in Grype. Second, wire up the architecture package qualifier so that if a vulnerability or fix specifies that it is only applicable to a particular architecture, the matchers will respect this, and third, in the RPM matcher, specify `arch=src` when synthesizing the upstream package to search by (rather than letting it inherit the binary package's architecture). The qualifier logic is like this: If either the package or the DB record has a blank architecture, the filtering is a noop. If the package has a specific architecture and the DB record has 'src', the package is qualified, because a disclosure or fix in a src RPM for example is assumed to affect things built from it. If the DB record and the package both have specific binary architectures, but they don't match, e.g. x86_64 != aarch64, the package is not qualified and filters out. Architecture qualifiers are canonicalized at match time so, for example, an RPM that has x86_64 architecture is a qualified package on a vuln that affects "amd64" processors (assuming distro and everything else line up). This canonicalization is probably more important for future expansion since a given distro will probably use the same architecture strings as their own package manager. Hummingbird also has a special "binary-no-arch-specified" architecture that means, "this is not a src RPM". That is so that in Hummingbird data, if we have a package that says, 'upstream=glibc' in its PURL, and we have a glibc vuln against the binary but not the src RPM, we can fitler out this false positive. If a DB record has 'binary-no-arch-specified' as its architecture, any package that has any non-src architecture (or a blank architecture) is qualified, but src architecture is not. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Make architecture aliases data driven Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * handle noarch / all arch Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Wire up end-to-end architecture specific matching for OL OracleLinux had some existing false positives where the x86_64 package was fixed in an earlier version of the RPM than the aarch64 version, resulting in false positives when Grype checked against the aarch64 version. Add a dbtest for this scenario and update the RPM matcher and OS transformer to fix this case. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * move setting src arch on upstream to helper Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * exhaustive tests for package arch qualifier Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix(zarf): swap warn messages for debug (anchore#3545) Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com> * chore(deps): bump anchore/workflows/.github/workflows/check-version-available.yaml (anchore#3547) Bumps [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0. - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b0c30a8...7212994) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml dependency-version: 0.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (anchore#3549) Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.6 to 0.5.7. - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@5f14fd0...192e21d) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anchore/workflows/.github/workflows/codeql.yaml (anchore#3548) Bumps [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0. - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b0c30a8...7212994) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/codeql.yaml dependency-version: 0.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/tools from 0.46.0 to 0.47.0 (anchore#3550) Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.46.0 to 0.47.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.46.0...v0.47.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-version: 0.47.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/cache/restore in /.github/actions/bootstrap (anchore#3556) Bumps [actions/cache/restore](https://github.com/actions/cache) from 5.0.5 to 6.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@27d5ce7...55cc834) --- updated-dependencies: - dependency-name: actions/cache/restore dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/cache from 5.0.5 to 6.1.0 (anchore#3551) Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@27d5ce7...55cc834) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anchore/go-make/.github/actions/setup (anchore#3555) Bumps [anchore/go-make/.github/actions/setup](https://github.com/anchore/go-make) from 0.6.0 to 0.8.0. - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](anchore/go-make@39fe5f7...430e217) --- updated-dependencies: - dependency-name: anchore/go-make/.github/actions/setup dependency-version: 0.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/cache in /.github/actions/bootstrap (anchore#3558) Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@27d5ce7...55cc834) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump gorm.io/gorm from 1.31.1 to 1.31.2 (anchore#3557) Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm) from 1.31.1 to 1.31.2. - [Release notes](https://github.com/go-gorm/gorm/releases) - [Commits](go-gorm/gorm@v1.31.1...v1.31.2) --- updated-dependencies: - dependency-name: gorm.io/gorm dependency-version: 1.31.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com> Signed-off-by: Jeremy Spilman <jeremy.spilman@anchore.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@anchore.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: Brandt Keller <43887158+brandtkeller@users.noreply.github.com> Co-authored-by: Jeremy Spilman <jeremy.spilman@anchore.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Weston Steimel <author@code.w.steimel.me.uk> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* give install script uploader contents: read (anchore#3489) Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Govulndb OSV transformer (anchore#3485) * govulndb osv Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * add fixed dates to govulndb osv transformer Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * enforce lowercase ids on cache Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore(deps): update tool versions (anchore#3488) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * chore(deps): update quality gate database (anchore#3478) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * feat(scan): add support for a Zarf scan target (anchore#3366) Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com> * fix: respect withdrawn status of Go Vuln DB OSV records (anchore#3495) Otherwise we get false positives. Includes a matcher test to assert that Grype does not find withdrawn go vulns. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore(deps): update anchore dependencies (anchore#3487) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * test: add test fixtures for multi RHSA records from vunnel (anchore#3480) Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix: avoid panic on invalid RHEL version IDs (anchore#3490) Signed-off-by: Jeremy Spilman <jeremy.spilman@anchore.com> * chore(deps): bump the actions-minor-patch group across 2 directories with 7 updates (anchore#3503) Bumps the actions-minor-patch group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `6.0.3` | | [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.36.0` | `4.36.2` | Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [anchore/go-make](https://github.com/anchore/go-make). Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `github/codeql-action` from 4.36.0 to 4.36.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@7211b7c...8aad20d) Updates `anchore/go-make` from 0.5.0 to 0.6.0 - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](anchore/go-make@9de27be...39fe5f7) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/codeql.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-gate.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: github/codeql-action dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/go-make dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * exclude linux-kbuild deb indirect matches by default (anchore#3506) Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk> * Add OSV Model generator (anchore#3499) * Add OSV Model generator Previously, there was an OSV scanner repository that exported a models.Vulnerability struct we could use. That repository deprecated their exported models and the models in grype are falling behind. Therefore, add a generator target that generates our own models based on the latest v1 JSON scehma from the official OSV spec repository. In this way automation can PR new models in. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * less coupled generator Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * parse severity as singular and drop entry type Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Remove v1 from file names If we need a v2 model, we should have a package with v2 in the path so that both can be imported. v1 in a filename is just noise. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> * chore(deps): bump github.com/anchore/go-make (anchore#3502) Bumps the go-minor-patch group with 1 update in the /.make directory: [github.com/anchore/go-make](https://github.com/anchore/go-make). Updates `github.com/anchore/go-make` from 0.5.0 to 0.6.0 - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](anchore/go-make@v0.5.0...v0.6.0) --- updated-dependencies: - dependency-name: github.com/anchore/go-make dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(go-vulndb): merge in custom ranges when applicable (anchore#3514) * fix(go-vulndb): merge in custom ranges when applicable Go OSV data has the standard OSV ranges, but also has custom ranges. Packages that do non-standard go versioning, for example by pushing a tag that starts with v2.x.y but not adding a /v2 in their module path, get relegated to the custom ranges field. In other words, there is one affected range for "strictly go versioning compliant versions" and another set of ranges for "version control tags that are not perfectly compliant". Previously, Grype just ignore this second bucket of version ranges, resulting in a meaningful number of false positives. Fix this by, if custom ranges are present, stripping out unbounded (e.g. > 0) ranges from the regular ranges and then unioning the two range sets. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * cleanup: avoid double parsing ranges, clean up comments Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix up go vuln db transformer Includes using mapstructure to deserialize custom fields, and some readability refactors. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix: disable go stdlib CPE matching by default. (anchore#3517) Previously, because GHSA does not cover the go stdlib, in order to avoid false negatives on the go stdlib, CPE matching had to be used. However, grype now includes the Go Vuln DB data it its database, which does include the stdlib as if a regular go module, so this CPE fallback can be disabled by default, fixing many false positives. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore(deps): bump the go-minor-patch group across 1 directory with 2 updates (anchore#3518) Bumps the go-minor-patch group with 2 updates in the / directory: [golang.org/x/text](https://github.com/golang/text) and [golang.org/x/tools](https://github.com/golang/tools). Updates `golang.org/x/text` from 0.37.0 to 0.38.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.37.0...v0.38.0) Updates `golang.org/x/tools` from 0.45.0 to 0.46.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.45.0...v0.46.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-version: 0.38.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: golang.org/x/tools dependency-version: 0.46.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(hummingbird): mark hummingbird distro as rolling (anchore#3521) Previous hummingbird work incorrectly marked only the search side (data.go) as having a rolling label. Therefore also mark hummingbird as a rolling distro at database creation time. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * refactor release pipeline: TAG_TOKEN, skip-checks gate, go-make bump, dependabot/zizmor/gci cleanup (anchore#3524) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * chore(deps): bump github.com/containerd/containerd/v2 (anchore#3525) Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](containerd/containerd@v2.3.1...v2.3.2) --- updated-dependencies: - dependency-name: github.com/containerd/containerd/v2 dependency-version: 2.3.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(govulndb): mix floors from custom ranges as appropriate (anchore#3522) Previously, lower and upper bounds on vulnerable windows would be ORed together if part of the range was reported in osv standard affected events and the other part was reported in OSV ecosystem-specific custom_ranges events. Fix the merge logic so that floors from the custom ranges have the correct effect. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix(govulndb): only emit records for stdlib (anchore#3527) * fix(govulndb): only emit records for stdlib For third party go packages, go vuln db has some very strange version ranges, and this has caused a number of false positive reports. Additionally, for most of them, Grype currently reports both a GHSA and a GO record, resulting in user confusion. However, there is one key class of record available in the go vuln db that is not in GHSA: records affecting the go stdlib itself (that is, the core parts of the langage that are statically linked into every go binary). Therefore, for now, emit only records relating to the go stdlib. Future enhancements can pull in additional data related to third party go packages in go vuln db. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Clean up some additional test fixtures Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Update go-make to v0.8.0 (anchore#3528) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * chore(units): account for changes in Syft and fix stale listing file (anchore#3532) Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * feat(govulndb): emit golang.org/x/net vulns from govlundb (anchore#3534) These packages are not covered by GHSA and generally have well-formed versions, so emit them. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore(deps): update anchore dependencies (anchore#3498) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 (anchore#3535) Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3 to 7.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@df4cb1c...9c091bb) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update quality gate database (anchore#3543) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * feat: populate package architecture for matching (anchore#3504) * feat: populate package architecture for matching Enable matchers to filter on architecture-specific vulnerabilities or fixes. There are basically three changes here: First, wire up the package collection creator to populate architecture on the packages when an image is scanned or an sbom is loaded in Grype. Second, wire up the architecture package qualifier so that if a vulnerability or fix specifies that it is only applicable to a particular architecture, the matchers will respect this, and third, in the RPM matcher, specify `arch=src` when synthesizing the upstream package to search by (rather than letting it inherit the binary package's architecture). The qualifier logic is like this: If either the package or the DB record has a blank architecture, the filtering is a noop. If the package has a specific architecture and the DB record has 'src', the package is qualified, because a disclosure or fix in a src RPM for example is assumed to affect things built from it. If the DB record and the package both have specific binary architectures, but they don't match, e.g. x86_64 != aarch64, the package is not qualified and filters out. Architecture qualifiers are canonicalized at match time so, for example, an RPM that has x86_64 architecture is a qualified package on a vuln that affects "amd64" processors (assuming distro and everything else line up). This canonicalization is probably more important for future expansion since a given distro will probably use the same architecture strings as their own package manager. Hummingbird also has a special "binary-no-arch-specified" architecture that means, "this is not a src RPM". That is so that in Hummingbird data, if we have a package that says, 'upstream=glibc' in its PURL, and we have a glibc vuln against the binary but not the src RPM, we can fitler out this false positive. If a DB record has 'binary-no-arch-specified' as its architecture, any package that has any non-src architecture (or a blank architecture) is qualified, but src architecture is not. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Make architecture aliases data driven Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * handle noarch / all arch Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Wire up end-to-end architecture specific matching for OL OracleLinux had some existing false positives where the x86_64 package was fixed in an earlier version of the RPM than the aarch64 version, resulting in false positives when Grype checked against the aarch64 version. Add a dbtest for this scenario and update the RPM matcher and OS transformer to fix this case. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * move setting src arch on upstream to helper Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * exhaustive tests for package arch qualifier Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix(zarf): swap warn messages for debug (anchore#3545) Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com> * chore(deps): bump anchore/workflows/.github/workflows/check-version-available.yaml (anchore#3547) Bumps [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0. - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b0c30a8...7212994) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml dependency-version: 0.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (anchore#3549) Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.6 to 0.5.7. - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@5f14fd0...192e21d) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anchore/workflows/.github/workflows/codeql.yaml (anchore#3548) Bumps [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0. - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b0c30a8...7212994) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/codeql.yaml dependency-version: 0.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/tools from 0.46.0 to 0.47.0 (anchore#3550) Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.46.0 to 0.47.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.46.0...v0.47.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-version: 0.47.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/cache/restore in /.github/actions/bootstrap (anchore#3556) Bumps [actions/cache/restore](https://github.com/actions/cache) from 5.0.5 to 6.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@27d5ce7...55cc834) --- updated-dependencies: - dependency-name: actions/cache/restore dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/cache from 5.0.5 to 6.1.0 (anchore#3551) Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@27d5ce7...55cc834) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anchore/go-make/.github/actions/setup (anchore#3555) Bumps [anchore/go-make/.github/actions/setup](https://github.com/anchore/go-make) from 0.6.0 to 0.8.0. - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](anchore/go-make@39fe5f7...430e217) --- updated-dependencies: - dependency-name: anchore/go-make/.github/actions/setup dependency-version: 0.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/cache in /.github/actions/bootstrap (anchore#3558) Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@27d5ce7...55cc834) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump gorm.io/gorm from 1.31.1 to 1.31.2 (anchore#3557) Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm) from 1.31.1 to 1.31.2. - [Release notes](https://github.com/go-gorm/gorm/releases) - [Commits](go-gorm/gorm@v1.31.1...v1.31.2) --- updated-dependencies: - dependency-name: gorm.io/gorm dependency-version: 1.31.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com> Signed-off-by: Jeremy Spilman <jeremy.spilman@anchore.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@anchore.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: Brandt Keller <43887158+brandtkeller@users.noreply.github.com> Co-authored-by: Jeremy Spilman <jeremy.spilman@anchore.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Weston Steimel <author@code.w.steimel.me.uk> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Janit Lodha <janit.lodha@rapidfort.com>
* give install script uploader contents: read (anchore#3489) * Govulndb OSV transformer (anchore#3485) * govulndb osv * add fixed dates to govulndb osv transformer * enforce lowercase ids on cache --------- * chore(deps): update tool versions (anchore#3488) * chore(deps): update quality gate database (anchore#3478) * feat(scan): add support for a Zarf scan target (anchore#3366) * fix: respect withdrawn status of Go Vuln DB OSV records (anchore#3495) Otherwise we get false positives. Includes a matcher test to assert that Grype does not find withdrawn go vulns. * chore(deps): update anchore dependencies (anchore#3487) * test: add test fixtures for multi RHSA records from vunnel (anchore#3480) * fix: avoid panic on invalid RHEL version IDs (anchore#3490) * chore(deps): bump the actions-minor-patch group across 2 directories with 7 updates (anchore#3503) Bumps the actions-minor-patch group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `6.0.3` | | [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.36.0` | `4.36.2` | Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [anchore/go-make](https://github.com/anchore/go-make). Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `github/codeql-action` from 4.36.0 to 4.36.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@7211b7c...8aad20d) Updates `anchore/go-make` from 0.5.0 to 0.6.0 - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](anchore/go-make@9de27be...39fe5f7) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/codeql.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-gate.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: github/codeql-action dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/go-make dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... * exclude linux-kbuild deb indirect matches by default (anchore#3506) * Add OSV Model generator (anchore#3499) * Add OSV Model generator Previously, there was an OSV scanner repository that exported a models.Vulnerability struct we could use. That repository deprecated their exported models and the models in grype are falling behind. Therefore, add a generator target that generates our own models based on the latest v1 JSON scehma from the official OSV spec repository. In this way automation can PR new models in. * less coupled generator * parse severity as singular and drop entry type * Remove v1 from file names If we need a v2 model, we should have a package with v2 in the path so that both can be imported. v1 in a filename is just noise. --------- * chore(deps): bump github.com/anchore/go-make (anchore#3502) Bumps the go-minor-patch group with 1 update in the /.make directory: [github.com/anchore/go-make](https://github.com/anchore/go-make). Updates `github.com/anchore/go-make` from 0.5.0 to 0.6.0 - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](anchore/go-make@v0.5.0...v0.6.0) --- updated-dependencies: - dependency-name: github.com/anchore/go-make dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch ... * fix(go-vulndb): merge in custom ranges when applicable (anchore#3514) * fix(go-vulndb): merge in custom ranges when applicable Go OSV data has the standard OSV ranges, but also has custom ranges. Packages that do non-standard go versioning, for example by pushing a tag that starts with v2.x.y but not adding a /v2 in their module path, get relegated to the custom ranges field. In other words, there is one affected range for "strictly go versioning compliant versions" and another set of ranges for "version control tags that are not perfectly compliant". Previously, Grype just ignore this second bucket of version ranges, resulting in a meaningful number of false positives. Fix this by, if custom ranges are present, stripping out unbounded (e.g. > 0) ranges from the regular ranges and then unioning the two range sets. * cleanup: avoid double parsing ranges, clean up comments * fix up go vuln db transformer Includes using mapstructure to deserialize custom fields, and some readability refactors. --------- * fix: disable go stdlib CPE matching by default. (anchore#3517) Previously, because GHSA does not cover the go stdlib, in order to avoid false negatives on the go stdlib, CPE matching had to be used. However, grype now includes the Go Vuln DB data it its database, which does include the stdlib as if a regular go module, so this CPE fallback can be disabled by default, fixing many false positives. * chore(deps): bump the go-minor-patch group across 1 directory with 2 updates (anchore#3518) Bumps the go-minor-patch group with 2 updates in the / directory: [golang.org/x/text](https://github.com/golang/text) and [golang.org/x/tools](https://github.com/golang/tools). Updates `golang.org/x/text` from 0.37.0 to 0.38.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.37.0...v0.38.0) Updates `golang.org/x/tools` from 0.45.0 to 0.46.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.45.0...v0.46.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-version: 0.38.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: golang.org/x/tools dependency-version: 0.46.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch ... * fix(hummingbird): mark hummingbird distro as rolling (anchore#3521) Previous hummingbird work incorrectly marked only the search side (data.go) as having a rolling label. Therefore also mark hummingbird as a rolling distro at database creation time. * refactor release pipeline: TAG_TOKEN, skip-checks gate, go-make bump, dependabot/zizmor/gci cleanup (anchore#3524) * chore(deps): bump github.com/containerd/containerd/v2 (anchore#3525) Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](containerd/containerd@v2.3.1...v2.3.2) --- updated-dependencies: - dependency-name: github.com/containerd/containerd/v2 dependency-version: 2.3.2 dependency-type: indirect ... * fix(govulndb): mix floors from custom ranges as appropriate (anchore#3522) Previously, lower and upper bounds on vulnerable windows would be ORed together if part of the range was reported in osv standard affected events and the other part was reported in OSV ecosystem-specific custom_ranges events. Fix the merge logic so that floors from the custom ranges have the correct effect. * fix(govulndb): only emit records for stdlib (anchore#3527) * fix(govulndb): only emit records for stdlib For third party go packages, go vuln db has some very strange version ranges, and this has caused a number of false positive reports. Additionally, for most of them, Grype currently reports both a GHSA and a GO record, resulting in user confusion. However, there is one key class of record available in the go vuln db that is not in GHSA: records affecting the go stdlib itself (that is, the core parts of the langage that are statically linked into every go binary). Therefore, for now, emit only records relating to the go stdlib. Future enhancements can pull in additional data related to third party go packages in go vuln db. * Clean up some additional test fixtures --------- * Update go-make to v0.8.0 (anchore#3528) * chore(units): account for changes in Syft and fix stale listing file (anchore#3532) * feat(govulndb): emit golang.org/x/net vulns from govlundb (anchore#3534) These packages are not covered by GHSA and generally have well-formed versions, so emit them. * chore(deps): update anchore dependencies (anchore#3498) * chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 (anchore#3535) Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3 to 7.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@df4cb1c...9c091bb) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... * chore(deps): update quality gate database (anchore#3543) * feat: populate package architecture for matching (anchore#3504) * feat: populate package architecture for matching Enable matchers to filter on architecture-specific vulnerabilities or fixes. There are basically three changes here: First, wire up the package collection creator to populate architecture on the packages when an image is scanned or an sbom is loaded in Grype. Second, wire up the architecture package qualifier so that if a vulnerability or fix specifies that it is only applicable to a particular architecture, the matchers will respect this, and third, in the RPM matcher, specify `arch=src` when synthesizing the upstream package to search by (rather than letting it inherit the binary package's architecture). The qualifier logic is like this: If either the package or the DB record has a blank architecture, the filtering is a noop. If the package has a specific architecture and the DB record has 'src', the package is qualified, because a disclosure or fix in a src RPM for example is assumed to affect things built from it. If the DB record and the package both have specific binary architectures, but they don't match, e.g. x86_64 != aarch64, the package is not qualified and filters out. Architecture qualifiers are canonicalized at match time so, for example, an RPM that has x86_64 architecture is a qualified package on a vuln that affects "amd64" processors (assuming distro and everything else line up). This canonicalization is probably more important for future expansion since a given distro will probably use the same architecture strings as their own package manager. Hummingbird also has a special "binary-no-arch-specified" architecture that means, "this is not a src RPM". That is so that in Hummingbird data, if we have a package that says, 'upstream=glibc' in its PURL, and we have a glibc vuln against the binary but not the src RPM, we can fitler out this false positive. If a DB record has 'binary-no-arch-specified' as its architecture, any package that has any non-src architecture (or a blank architecture) is qualified, but src architecture is not. * Make architecture aliases data driven * handle noarch / all arch * Wire up end-to-end architecture specific matching for OL OracleLinux had some existing false positives where the x86_64 package was fixed in an earlier version of the RPM than the aarch64 version, resulting in false positives when Grype checked against the aarch64 version. Add a dbtest for this scenario and update the RPM matcher and OS transformer to fix this case. * move setting src arch on upstream to helper * exhaustive tests for package arch qualifier --------- * fix(zarf): swap warn messages for debug (anchore#3545) * chore(deps): bump anchore/workflows/.github/workflows/check-version-available.yaml (anchore#3547) Bumps [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0. - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b0c30a8...7212994) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml dependency-version: 0.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... * chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (anchore#3549) Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.6 to 0.5.7. - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@5f14fd0...192e21d) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.7 dependency-type: direct:production update-type: version-update:semver-patch ... * chore(deps): bump anchore/workflows/.github/workflows/codeql.yaml (anchore#3548) Bumps [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0. - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b0c30a8...7212994) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/codeql.yaml dependency-version: 0.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... * chore(deps): bump golang.org/x/tools from 0.46.0 to 0.47.0 (anchore#3550) Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.46.0 to 0.47.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.46.0...v0.47.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-version: 0.47.0 dependency-type: direct:production update-type: version-update:semver-minor ... * chore(deps): bump actions/cache/restore in /.github/actions/bootstrap (anchore#3556) Bumps [actions/cache/restore](https://github.com/actions/cache) from 5.0.5 to 6.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@27d5ce7...55cc834) --- updated-dependencies: - dependency-name: actions/cache/restore dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... * chore(deps): bump actions/cache from 5.0.5 to 6.1.0 (anchore#3551) Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@27d5ce7...55cc834) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... * chore(deps): bump anchore/go-make/.github/actions/setup (anchore#3555) Bumps [anchore/go-make/.github/actions/setup](https://github.com/anchore/go-make) from 0.6.0 to 0.8.0. - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](anchore/go-make@39fe5f7...430e217) --- updated-dependencies: - dependency-name: anchore/go-make/.github/actions/setup dependency-version: 0.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... * chore(deps): bump actions/cache in /.github/actions/bootstrap (anchore#3558) Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@27d5ce7...55cc834) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... * chore(deps): bump gorm.io/gorm from 1.31.1 to 1.31.2 (anchore#3557) Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm) from 1.31.1 to 1.31.2. - [Release notes](https://github.com/go-gorm/gorm/releases) - [Commits](go-gorm/gorm@v1.31.1...v1.31.2) --- updated-dependencies: - dependency-name: gorm.io/gorm dependency-version: 1.31.2 dependency-type: direct:production update-type: version-update:semver-patch ... --------- Signed-off-by: Janit Lodha <janit.lodha@rapidfort.com> Signed-off-by: Vaibhav Thatai <vaibhav@rapidfort.com> Co-authored-by: Vaibhav Thatai <vaibhav@rapidfort.com>
* origin/main: chore(deps): bump gorm.io/gorm from 1.31.1 to 1.31.2 (#3557) chore(deps): bump actions/cache in /.github/actions/bootstrap (#3558) chore(deps): bump anchore/go-make/.github/actions/setup (#3555) chore(deps): bump actions/cache from 5.0.5 to 6.1.0 (#3551) chore(deps): bump actions/cache/restore in /.github/actions/bootstrap (#3556) chore(deps): bump golang.org/x/tools from 0.46.0 to 0.47.0 (#3550) chore(deps): bump anchore/workflows/.github/workflows/codeql.yaml (#3548) chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (#3549) chore(deps): bump anchore/workflows/.github/workflows/check-version-available.yaml (#3547) fix(zarf): swap warn messages for debug (#3545) feat: populate package architecture for matching (#3504) chore(deps): update quality gate database (#3543)
Enable matchers to filter on architecture-specific vulnerabilities or fixes.
There are basically three changes here: First, wire up the package collection creator to populate architecture on the packages when an image is scanned or an sbom is loaded in Grype. Second, wire up the architecture package qualifier so that if a vulnerability or fix specifies that it is only applicable to a particular architecture, the matchers will respect this, and third, in the RPM matcher, specify
arch=srcwhen synthesizing the upstream package to search by (rather than letting it inherit the binary package's architecture).The qualifier logic is like this: If either the package or the DB record has a blank architecture, the filtering is a noop. If the package has a specific architecture and the DB record has 'src', the package is qualified, because a disclosure or fix in a src RPM for example is assumed to affect things built from it. If the DB record and the package both have specific binary architectures, but they don't match, e.g. x86_64 != aarch64, the package is not qualified and filters out. Architecture qualifiers are canonicalized at match time so, for example, an RPM that has x86_64 architecture is a qualified package on a vuln that affects "amd64" processors (assuming distro and everything else line up). This canonicalization is probably more important for future expansion since a given distro will probably use the same architecture strings as their own package manager.
Hummingbird also has a special "binary-no-arch-specified" architecture that means, "this is not a src RPM". That is so that in Hummingbird data, if we have a package that says, 'upstream=glibc' in its PURL, and we have a glibc vuln against the binary but not the src RPM, we can fitler out this false positive. If a DB record has 'binary-no-arch-specified' as its architecture, any package that has any non-src architecture (or a blank architecture) is qualified, but src architecture is not.
Note that this could use anchore/syft#4977 but there's no need to couple them.