Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add protobuf FPs to default ignore list #1062

Merged
merged 1 commit into from
Jan 20, 2023
Merged

Add protobuf FPs to default ignore list #1062

merged 1 commit into from
Jan 20, 2023

Conversation

luhring
Copy link
Contributor

@luhring luhring commented Jan 20, 2023

Fixes #558

Let me know if there's a better way to cancel these out in the code. I saw this method used for some log4j FPs so I continued that approach here.

One unfortunate drawback to this approach is the UI becomes a bit confusing:

$ go run . anchore/grype   
 ✔ Vulnerability DB        [no update available]
 ✔ Parsed image            
 ✔ Cataloged packages      [212 packages]
 ✔ Scanned image           [2 vulnerabilities]
No vulnerabilities found

"2 vulnerabilities", and then "no vulnerabilities". Curious if anyone has thoughts to make this more straightforward.

@spiffcs
Copy link
Contributor

spiffcs commented Jan 20, 2023

Thanks @luhring! I think this is pretty straightforward. If this list keeps getting bigger we can revisit it. Before we merge I'll wait for others from the open source team to comment on if we can add a commit to reduce the UI confusion here

kzantow
kzantow approved these changes Jan 20, 2023
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also LGTM -- the count mismatch is an existing problem, so doesn't need to be solved here, IMO.

@luhring
Copy link
Contributor Author

luhring commented Jan 20, 2023

Thanks @spiffcs and @kzantow! Good to merge from my end then 😃

@kzantow kzantow merged commit b40b54d into anchore:main Jan 20, 2023
@luhring luhring deleted the protobuf-fps branch January 20, 2023 22:57
spiffcs added a commit to willyw0nka/grype that referenced this pull request Jan 24, 2023
@spiffcs
Merge branch 'main' into feature/grype-update
fc34c3f 
* main: (56 commits)
  fix: always include severity in cyclonedx output (anchore#1067)
  Update Syft to v0.68.0 (anchore#1064)
  Add protobuf FPs to default ignore list (anchore#1062)
  chore: update Syft to v0.66.2 (anchore#1060)
  Update grype bootstrap tools to latest versions. (anchore#1055)
  feat: allow grype db diff to specify local db directories (anchore#1058)
  chore: claim artifacthub package ownership from developer-guy (anchore#661)
  chore: add github token to quality tests (anchore#1056)
  chore: update yardstick to diagnose intermittent failures (anchore#1054)
  Update grype bootstrap tools to latest versions. (anchore#1048)
  fix: sort vulnerability results (anchore#1052)
  Adding internal/file/hasher test cases (anchore#1049)
  fix: orient by cve merging (anchore#1046)
  Update Syft to v0.64.0 (anchore#1047)
  fix: update removing results based on ownership-by-file-overlap (anchore#1045)
  feat: swap custom cyclone-dx model for cyclone-dx library (anchore#1038)
  chore: add GitLab Community Edition image to quality gate (anchore#1035)
  Update Syft to v0.63.0 (anchore#1037)
  fix: Exclude binary packages that have overlap by file ownership relationship (anchore#1024)
  docs: update quality gate docs (anchore#1032)
  ...
This was referenced Feb 16, 2023
Closed
Closed
@edmorley edmorley mentioned this pull request Aug 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

@spiffcs spiffcs spiffcs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

False positive CVE-2015-5237 for protobuf-go
3 participants
@luhring @spiffcs @kzantow