fix: add unaffected results to db search vuln, fix alias results#3560
Draft
kzantow wants to merge 1 commit into
Draft
fix: add unaffected results to db search vuln, fix alias results#3560kzantow wants to merge 1 commit into
kzantow wants to merge 1 commit into
Conversation
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Contributor
Author
|
Notes from team discussion:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR makes some fixes to
grype db searchandgrype db search --include-aliasesto get a more appropriate set of records.Currently, in Grype matching there are many factors that affect whether a package is deemed vulnerable and often the determination requires information from multiple sources such as GHSA and SUSE to avoid false positives. If a user is trying to get details about a specific vulnerability, we need to include unaffected records and aliases to get most of the big picture about what's going on.
To see all* the records that will impact a particular package, we need unaffected records and to go 2 levels deep in aliases.
Take the newly added GO vulnerabilities, for example:
GO-2026-5005. If I run:Perfect: I see there's just a single record with a version constraint.
But wait... let's say I don't see that result but I'm using something that looks like version 0.50.0 -- how can I figure out what's going on?
Previously
--include-aliaseswould include a single-level of aliases, sodb search --vuln GO-2026-5005 --include-aliaseswould find a single alias for theGO-2026-5005record:CVE-2026-39833and include both of those results. But there are more records that will come into play, especially: GHSA-jppx-rxg9-jmrx -- perhaps there are corrected version ranges or a vendor has asserted that this particular package is not vulnerable for their distributed version of the package. Previously, you wouldn't see any information about this because it's a second-level alias: no alias information exist directly from the GO vuln to the GHSA vuln but both of these alias toCVE-2026-39833, so--include-aliasesneeds to account for this.Additionally, vulnerabilities may be filtered by entries in the unaffected packages set, which are stored in a separate table and not returned by affected packages queries. This PR adds the records to
db searchwith an(unaffected)label at the end of the constraint to indicate Grype will match against that range as an unaffected filter rather than a vulnerable range. This is probably the part that needs the most discussion.We need to be able to correctly identify records should be considered unaffected in both the table and in JSON output. The current implementation in this PR is just to get a discussion started and looks something like:
I think ideally we would instead include a status column and these would be
Not-Affected/Unaffectedor similar. There is a VulnerabilityStatus on the data model which is seems to be unset some of the time but appears to be the right spot for this to be conveyed, however: adding records with an unknown new status might result in them being interpreted as vulnerable by consumers. Grype itself only considered withdrawn and rejected to be "not vulnerable" types of statuses.All that said, without this information,
db searchis very difficult to use to understand the scope of grype's matching about a particular vulnerability. We need a a way of displaying this information to users, ideally without needing to remember to execute multiple queries to get enough pertinent information. It's pretty confusing when searching for a vulnerability only to find it looks like something different should be happening.* still not necessarily all