What happened:
When using Grype on Raspberry Pi OS, it uses the Debian package list for the packages to match against. But there are some packages that are rebuilt versions of the upstream Debian packages. For example the Chromium package on a Raspberry Pi is actually 1:149.0.7827.114-1~deb13u1+rpt1
The upstream version would be 149.0.7827.114-1~deb13u1 in other words an epoch of 0. We use the epoch to stop the upstream version from automagically overwriting the Raspberry Pi package version because lots of functionality would then be broken (hardware video decode is an example).
But that means when you run Grype it assumes an epoch of 1 is a newer version that anything with an epoch of zero (which is of course the whole point of an epoch) which means we miss vulnerabilities against the upstream package.
Is there a standard / expected way to make this work? Currently I've got two options:
- Pre-process the SBOM to remove the incremented epoch on packages that we've added it to
- Post process the vulnerability list to add a scan specifically for the upstream version of any Raspberry Pi package.
- Modify Grype or add a database etc to know about the difference between upstream and downstream packages. For example, add a Raspberry Pi database to be imported which matches the whole +rpt1 package version which then copies the upstream vulnerability list and adds on any Raspberry Pi specific vulnerabilities
What happened:
When using Grype on Raspberry Pi OS, it uses the Debian package list for the packages to match against. But there are some packages that are rebuilt versions of the upstream Debian packages. For example the Chromium package on a Raspberry Pi is actually 1:149.0.7827.114-1~deb13u1+rpt1
The upstream version would be 149.0.7827.114-1~deb13u1 in other words an epoch of 0. We use the epoch to stop the upstream version from automagically overwriting the Raspberry Pi package version because lots of functionality would then be broken (hardware video decode is an example).
But that means when you run Grype it assumes an epoch of 1 is a newer version that anything with an epoch of zero (which is of course the whole point of an epoch) which means we miss vulnerabilities against the upstream package.
Is there a standard / expected way to make this work? Currently I've got two options: