-
Notifications
You must be signed in to change notification settings - Fork 585
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read Syft configuration from Grype #1794
Comments
Hi @willyw0nka! Thanks for the request. Do you have a specific example of Not every option in the syft config is applicable to grype. For example, syft and grype have a different set of output options, grype has configs for ignoring vulns but syft doesn't have those. Syft has config options to, for example, make network calls that download licensing information for some packages, but this information would just be thrown away during a grype scan. There might be options we can duplicate from Syft to Grype, or maybe make Grype parse a subset of Syft config, but it won't work to just point Grype at a whole Syft config without some real thought, which is why I ask which particular things are not working or configs seem to be missing. |
Hi @willmurphyscode 👋, thanks for the reply. Asuming that java:
use-network: true Let's scan an example project git clone https://github.com/idealo/spring-endpoint-exporter.git
grype spring-endpoint-exporter The shown output is the following
This project appears to have a critical vulnerability 😱. The reason for this is that the Let's try now to scan the same project using syft first and passing the generated SBOM to grype. syft spring-endpoint-exporter -o json | grype Which generates the following output
Yay! No vulnerabilities found! 😄 So the enhanhement request is the following: could grype read grype config and syft config? Does this make sense? |
Hey @willyw0nka, thanks much for the details. We're discussing this as a team and we've learned a couple of things: we're concerned that parsing syft config by default would confuse users and cause unintended changes in behavior, but we're open to adding an option to allow grype to call syft with config parsing enabled. Possible options:
Dev note: maintenance-wise, the solution should think through minimizing changes that have to be duplicated between Syft and Grype together. One complication: if Syft config is newer than the version of Syft included in Grype, problems could occur. |
Thank you for the feedback! After considering the current situation and potential solutions, I believe sticking to the While it is true that this implementation could lead to issues if the syft version is newer than grype, it remains (in my opinion) the easiest option to utilize as an user. |
Just noting that #1012 (comment) is good signal that we need to do this. TL;DR - users should be able to tell grype to tell syft it's allowed to make network requests to maven repositories, since this would improve scan accuracy by improving JAR identification. |
What would you like to be added:
Ability to read syft.yaml config file when running grype.
Why is this needed:
When scanning a directory or docker image grype uses syft to generate the sbom that will be analyzed. There are situations where syft configuration is required (anchore/syft#2266 (comment)). In these instances, it's not possible to solely run grype to generate the sbom and then identify vulnerabilities within it.
Additional context:
The current workaround is
The text was updated successfully, but these errors were encountered: