Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: disable CPE-based matching for GHSA ecosystems by default #1412

Merged
merged 3 commits into from
Oct 12, 2023
Merged

feat: disable CPE-based matching for GHSA ecosystems by default #1412

merged 3 commits into from
Oct 12, 2023

Conversation

westonsteimel
Copy link
Contributor

@westonsteimel westonsteimel commented Aug 2, 2023
edited by kzantow
Loading

Disables CPE-based matching for ecosystems which are covered by GitHub Security Advisories. Also adds a separate rust matcher and related configuration to allow configuring CPE-based matching off for rust packages while still leaving it enabled for anything falling into the stock matcher.

Fixes: #811

@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 4 times, most recently from c35f935 to 288021a Compare August 4, 2023 15:47
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 7 times, most recently from dd2da98 to 61c6c61 Compare August 18, 2023 19:48
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 6 times, most recently from 0ceb397 to 0e973a0 Compare August 21, 2023 18:36
@westonsteimel westonsteimel marked this pull request as ready for review August 22, 2023 11:47
@westonsteimel westonsteimel requested a review from a team August 22, 2023 11:47
@spiffcs spiffcs added the blocked Progress is being stopped by something label Aug 22, 2023
@spiffcs
Copy link
Contributor

spiffcs commented Aug 22, 2023

Added blocked for now so that we investigate the quality gate a bit more to see why this is passing when we expect a failure given the number of false negatives

@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 4 times, most recently from 859ab71 to c54f2b5 Compare September 13, 2023 09:41
@tgerla tgerla mentioned this pull request Sep 14, 2023
Open
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 4 times, most recently from c04ff06 to 005b0eb Compare September 25, 2023 13:50
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch from 005b0eb to 5925a17 Compare September 29, 2023 07:29
@wagoodman wagoodman mentioned this pull request Sep 29, 2023
Closed
@westonsteimel
feat: disable CPE-based matching for GHSA ecosystems by default
4bb9fa7 
Disables CPE-based matching for ecosystems which are covered by GitHub
Security Advisories.  Also adds a separate rust matcher and related
configuration to allow configuring CPE-based matching off for it while
still leaving it on for the stock matcher.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
chore: use --by-cve with quality gate comparison
2efcff5 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
chore: add rust auditable binary match integration test
2440dd3 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch from 5925a17 to 2440dd3 Compare October 11, 2023 08:43
@wagoodman wagoodman removed the blocked Progress is being stopped by something label Oct 12, 2023
@wagoodman wagoodman merged commit 25762b7 into main Oct 12, 2023
8 of 9 checks passed
@wagoodman wagoodman deleted the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch October 12, 2023 13:07
@Porkepix Porkepix mentioned this pull request Oct 12, 2023
Merged
@luhring luhring mentioned this pull request Oct 12, 2023
Merged
spiffcs added a commit that referenced this pull request Oct 19, 2023
@spiffcs
Merge branch 'main' into 970-alpine-match-simplification
757a60f 
* main: (137 commits)
  chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#1564)
  Add --ignore-states flag for ignoring findings with specific fix states (#1473)
  feat: update go-sarif library to use latest release (#1563)
  bump clio to get stderr reporting fix (#1561)
  chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.2 to 1.4.3 (#1558)
  chore(deps): bump github.com/charmbracelet/lipgloss from 0.9.0 to 0.9.1 (#1557)
  Add checksum signing (#1535)
  chore(deps): bump golang.org/x/net from 0.16.0 to 0.17.0 (#1554)
  feat: disable CPE-based matching for GHSA ecosystems by default (#1412)
  chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#1552)
  chore(deps): update Syft to v0.93.0 (#1550)
  chore(deps): bump gorm.io/gorm from 1.25.4 to 1.25.5 (#1547)
  chore(deps): bump github.com/charmbracelet/lipgloss from 0.8.0 to 0.9.0 (#1548)
  chore(deps): bump github.com/hashicorp/go-getter from 1.7.2 to 1.7.3 (#1549)
  chore(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#1544)
  fix: empty descriptor name and version (#1542)
  chore: removes unnecessary conditional (#1539)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.10 to 0.4.11 (#1533)
  chore(deps): update Syft to v0.92.0 (#1527)
  chore(deps): update bootstrap tools to latest versions (#1524)
  ...
@spiffcs spiffcs mentioned this pull request May 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: use ghsa to improve matching for cpes
3 participants
@westonsteimel @spiffcs @wagoodman