Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

config: add config opt in golang pseudo version main module comparison #1816

Merged
merged 3 commits into from
Apr 18, 2024

Conversation

spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Apr 18, 2024

Summary

Add a new config option for grype to NOT allow module comparison when there is a pseudo version and main module.

The default for this value is true, but users have the option to disable in case FP introductions are too high.

Config Additions

match:
  golang:
    using-cpes: false
    # even if CPE matching is disabled, make an exception when scanning for "stdlib".
    always-use-cpe-for-stdlib: true
    allow-main-module-pseudo-version-comparison: true

Env Variable Addition:

GRYPE_MATCH_GOLANG_ALLOW_MAIN_MODULE_PSEUDO_VERSION_COMPARISON

Testing on your local

Example of FP introduced when comparing pseudo versions of main modules

export GRYPE_MATCH_GOLANG_ALLOW_MAIN_MODULE_PSEUDO_VERSION_COMPARISON=true
syft -o json ollama/ollama:0.1.32 | go run cmd/grype/main.go

------

github.com/ollama/ollama    v0.0.0-20240414223325-7027f264fbb3  0.1.29             go-module  GHSA-5jx5-hqx5-2vrj  High

Example of using the ENV VAR to disable this behavior

export GRYPE_MATCH_GOLANG_ALLOW_MAIN_MODULE_PSEUDO_VERSION_COMPARISON=false
syft -o json ollama/ollama:0.1.32 | go run cmd/grype/main.go

------

NO RESULT

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
+-------> Type: chore, docs, feat, fix, refactor, style, or test.

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs merged commit b7ffbee into main Apr 18, 2024
10 checks passed
@spiffcs spiffcs deleted the config-opt-in-golang-pseudo-version branch April 18, 2024 18:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants