feat: add Root.io unaffected vulnerability filtering #3030
Conversation
a0281e4 to
5739e82
Compare
grype/matcher/common/rootio.go
Outdated
| return matches | ||
| } | ||
|
|
||
| // Root.io packages with .root.io versions have been patched by Root.io |
There was a problem hiding this comment.
This isn't right - you should be actually searching the database for fixes that the vunnel and grype-db work have put there.
Add database-driven filtering for Root.io patched packages by querying
UnaffectedPackageHandle entries from grype-db. This implements the
reviewer's requirement to search the database for fixes from vunnel and
grype-db.
Key changes:
- Add FindUnaffectedPackages() to vulnerability.Provider interface
- Implement database querying in vulnerability_provider.go
- Create UnaffectedPackage model with constraint validation
- Add RootIOCriteria for Root.io-specific OS queries using rootio-{distro}
- Implement FilterRootIoUnaffectedMatches() with database queries
- Filter vulnerabilities selectively per CVE with constraint checking
- Integrate filtering into APK, DPKG, and Python matchers
- Add comprehensive unit tests for database-driven filtering
The implementation queries the unaffected_package_handles table populated
by grype-db, validates version constraints per CVE, and only filters
vulnerabilities that Root.io has actually patched.
5739e82 to
921b361
Compare
| } | ||
|
|
||
| func FilterRootIoUnaffectedMatchesForLanguage(store vulnerability.Provider, p pkg.Package, language string, matches []match.Match) []match.Match { | ||
| return FilterRootIoUnaffectedMatches(store, p, matches) |
There was a problem hiding this comment.
I'm confused. Is the language parameter ignored? Why?
| DistroVersion: p.Distro.VersionString(), | ||
| } | ||
|
|
||
| unaffectedPkgs, err := store.FindUnaffectedPackages(p, rootIOCriteria) |
There was a problem hiding this comment.
The store already has a method to search for unaffected packages.
|
Hi @chait-slim! Thanks for addressing the feedback. A couple things: First: I think we'd benefit from a call to talk about this new vulnerability data and how it should work with Grype - I am trying to give sort of high level feedback in GitHub comments and I think some context is being lost. Can you make an appointment with me at https://calendar.app.google/vtAP61H34Cu4QQWq7 ? Please include anyone who can answer questions about the semantics of the vulnerability data. Thanks! Second: the PRs are failing the DCO check. See https://github.com/anchore/grype/blob/main/CONTRIBUTING.md#sign-off-your-work for some info on how to fix this and why it is required. |
Thanks @willmurphyscode! |
Packages with .root.io in their version string are patched by Root.io
and should not report vulnerabilities marked as ROOTIO_UNAFFECTED.
Signed-off-by: Chai Tadmor [email protected]