Feat/multiple platform cpes #203
Conversation
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
|
This change will roughly triple the number of unique platform CPEs present in Grype DB: ❯ sqlite3 willtmp/newdb/5/vulnerability.db \
'select distinct package_qualifiers from vulnerability where namespace like "nvd:cpe" order by id limit 10000000000;' |\
rg platform-cpe | jq -r '.[0].cpe' | sort | uniq | wc -l
2380
❯ sqlite3 ~/Library/Caches/grype/db/5/vulnerability.db \
'select distinct package_qualifiers from vulnerability where namespace like "nvd:cpe" order by id limit 10000000000;' |\
rg platform-cpe | jq -r '.[0].cpe' | sort | uniq | wc -l
819Before merging, I'd like to take a look through the new platform CPEs and see what grype will do with them. Edit: I think this discrepancy is because of things that shouldn't be ending up as platform CPEs. Converting back to draft PR while I investigate. Edit on the edit: It turns out that we use |
Signed-off-by: Will Murphy <[email protected]>
For example, Redis or OpenShift might be coded as a type "a" CPE (for "application"), but might be a platform (displayed in the "running on or with" section of the NVD UI). For these, consider them platforms and emit a platform CPE. Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
| @@ -20,18 +20,18 @@ type pkgCandidate struct { | |||
| Product string | |||
| Vendor string | |||
| TargetSoftware string | |||
| PlatformCPE *string | |||
| PlatformCPE string | |||
There was a problem hiding this comment.
This struct is used as a map key in uniquePkgTracker. Have a pointer in a struct that's used as a hash key results in key collision being assessed based on pointer equality, not string equality. I think string equality is the right semantics. (Put another way: we wouldn't say one pkg candidate was different from another if the only difference was the memory location where the platform CPE was stored.)
I could be talked into pulling this out into its own PR.
Signed-off-by: Will Murphy <[email protected]>
Bumps [orjson](https://github.com/ijl/orjson) from 3.8.13 to 3.9.1. - [Release notes](https://github.com/ijl/orjson/releases) - [Changelog](https://github.com/ijl/orjson/blob/master/CHANGELOG.md) - [Commits](ijl/orjson@3.8.13...3.9.1) --- updated-dependencies: - dependency-name: orjson dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
PR with the goal of representing NVD CVEs that affect multiple specific platforms in grypeDB schema v5, which only supports one platform CPE constraint per row.
The transform to be accomplished is explained at anchore/grype#1042 (comment) in detail, but basically, emit a row for each affected platform, rather than emitting a single row with no platform constraint.
One thing we need to discover is whether there are lots of NVD issues that have multiple application nodes ORed with multiple platform nodes. If so, this needs to be expanded to be a cross join. - DONE, this does a cross join now.
TODO