Skip to content

feat: disable CPE-based matching for GHSA ecosystems by default#1412

Merged
wagoodman merged 3 commits intomainfrom
disable-cpe-matching-by-default-for-ghsa-covered-ecosystems
Oct 12, 2023
Merged

feat: disable CPE-based matching for GHSA ecosystems by default#1412
wagoodman merged 3 commits intomainfrom
disable-cpe-matching-by-default-for-ghsa-covered-ecosystems

Conversation

@westonsteimel
Copy link
Copy Markdown
Contributor

@westonsteimel westonsteimel commented Aug 2, 2023
edited by kzantow
Loading

Disables CPE-based matching for ecosystems which are covered by GitHub Security Advisories. Also adds a separate rust matcher and related configuration to allow configuring CPE-based matching off for rust packages while still leaving it enabled for anything falling into the stock matcher.

Fixes: #811

@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 4 times, most recently from c35f935 to 288021a Compare August 4, 2023 15:47
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 7 times, most recently from dd2da98 to 61c6c61 Compare August 18, 2023 19:48
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 6 times, most recently from 0ceb397 to 0e973a0 Compare August 21, 2023 18:36
@westonsteimel westonsteimel marked this pull request as ready for review August 22, 2023 11:47
@westonsteimel westonsteimel requested a review from a team August 22, 2023 11:47
@spiffcs spiffcs added the blocked Progress is being stopped by something label Aug 22, 2023
@spiffcs
Copy link
Copy Markdown
Contributor

spiffcs commented Aug 22, 2023

Added blocked for now so that we investigate the quality gate a bit more to see why this is passing when we expect a failure given the number of false negatives

@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 4 times, most recently from 859ab71 to c54f2b5 Compare September 13, 2023 09:41
@tgerla tgerla mentioned this pull request Sep 14, 2023
Open
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 4 times, most recently from c04ff06 to 005b0eb Compare September 25, 2023 13:50
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch from 005b0eb to 5925a17 Compare September 29, 2023 07:29
@wagoodman wagoodman mentioned this pull request Sep 29, 2023
Closed
@westonsteimel
feat: disable CPE-based matching for GHSA ecosystems by default
4bb9fa7 
Disables CPE-based matching for ecosystems which are covered by GitHub
Security Advisories.  Also adds a separate rust matcher and related
configuration to allow configuring CPE-based matching off for it while
still leaving it on for the stock matcher.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
chore: use --by-cve with quality gate comparison
2efcff5 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
chore: add rust auditable binary match integration test
2440dd3 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch from 5925a17 to 2440dd3 Compare October 11, 2023 08:43
@wagoodman wagoodman removed the blocked Progress is being stopped by something label Oct 12, 2023
@wagoodman wagoodman merged commit 25762b7 into main Oct 12, 2023
@wagoodman wagoodman deleted the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch October 12, 2023 13:07
@Porkepix Porkepix mentioned this pull request Oct 12, 2023
Merged
@luhring luhring mentioned this pull request Oct 12, 2023
Merged
spiffcs added a commit that referenced this pull request Oct 19, 2023
@spiffcs
Merge branch 'main' into 970-alpine-match-simplification
757a60f 
* main: (137 commits)
  chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#1564)
  Add --ignore-states flag for ignoring findings with specific fix states (#1473)
  feat: update go-sarif library to use latest release (#1563)
  bump clio to get stderr reporting fix (#1561)
  chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.2 to 1.4.3 (#1558)
  chore(deps): bump github.com/charmbracelet/lipgloss from 0.9.0 to 0.9.1 (#1557)
  Add checksum signing (#1535)
  chore(deps): bump golang.org/x/net from 0.16.0 to 0.17.0 (#1554)
  feat: disable CPE-based matching for GHSA ecosystems by default (#1412)
  chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#1552)
  chore(deps): update Syft to v0.93.0 (#1550)
  chore(deps): bump gorm.io/gorm from 1.25.4 to 1.25.5 (#1547)
  chore(deps): bump github.com/charmbracelet/lipgloss from 0.8.0 to 0.9.0 (#1548)
  chore(deps): bump github.com/hashicorp/go-getter from 1.7.2 to 1.7.3 (#1549)
  chore(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#1544)
  fix: empty descriptor name and version (#1542)
  chore: removes unnecessary conditional (#1539)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.10 to 0.4.11 (#1533)
  chore(deps): update Syft to v0.92.0 (#1527)
  chore(deps): update bootstrap tools to latest versions (#1524)
  ...
@spiffcs spiffcs mentioned this pull request May 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: use ghsa to improve matching for cpes

3 participants

@westonsteimel @spiffcs @wagoodman