-
Notifications
You must be signed in to change notification settings - Fork 585
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: disable CPE-based matching for GHSA ecosystems by default (#1412)
* feat: disable CPE-based matching for GHSA ecosystems by default Disables CPE-based matching for ecosystems which are covered by GitHub Security Advisories. Also adds a separate rust matcher and related configuration to allow configuring CPE-based matching off for it while still leaving it on for the stock matcher. Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * chore: use --by-cve with quality gate comparison Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * chore: add rust auditable binary match integration test Signed-off-by: Weston Steimel <weston.steimel@anchore.com> --------- Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
- Loading branch information
1 parent
bcbc7e4
commit 25762b7
Showing
11 changed files
with
131 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
package rust | ||
|
||
import ( | ||
"github.com/anchore/grype/grype/distro" | ||
"github.com/anchore/grype/grype/match" | ||
"github.com/anchore/grype/grype/pkg" | ||
"github.com/anchore/grype/grype/search" | ||
"github.com/anchore/grype/grype/vulnerability" | ||
syftPkg "github.com/anchore/syft/syft/pkg" | ||
) | ||
|
||
type Matcher struct { | ||
cfg MatcherConfig | ||
} | ||
|
||
type MatcherConfig struct { | ||
UseCPEs bool | ||
} | ||
|
||
func NewRustMatcher(cfg MatcherConfig) *Matcher { | ||
return &Matcher{ | ||
cfg: cfg, | ||
} | ||
} | ||
|
||
func (m *Matcher) PackageTypes() []syftPkg.Type { | ||
return []syftPkg.Type{syftPkg.RustPkg} | ||
} | ||
|
||
func (m *Matcher) Type() match.MatcherType { | ||
return match.RustMatcher | ||
} | ||
|
||
func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) { | ||
criteria := search.CommonCriteria | ||
if m.cfg.UseCPEs { | ||
criteria = append(criteria, search.ByCPE) | ||
} | ||
return search.ByCriteria(store, d, p, m.Type(), criteria...) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,2 @@ | ||
check-for-app-update: false | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 2 additions & 0 deletions
2
test/integration/test-fixtures/image-rust-auditable-match-coverage/Dockerfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# An image containing the example hello-auditable binary from https://github.com/Shnatsel/rust-audit/tree/master/hello-auditable | ||
FROM docker.io/tofay/hello-rust-auditable:latest |