Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to parse apk constraint phrase: failed to create comparator for '&{>= 1.0.2zk}' #2195

Closed
bergernir opened this issue Oct 16, 2024 · 7 comments
Assignees
Labels
bug Something isn't working

Comments

@bergernir
Copy link

What happened:
Scans started to fail, with the next error message:
"error creating a constraint: version: 1.1.1y error: unable to parse apk constraint phrase: failed to create comparator for '&{>= 1.0.2zk}': unable to parse constraint version (1.0.2zk): invalid version"

What you expected to happen:
Scan should pass

Anything else we need to know?:
It looks like it is the same bug you had before:
#2048

Environment:

  • Output of grype version: 0.80.1
  • OS (e.g: cat /etc/os-release or similar): Linux
@bergernir bergernir added the bug Something isn't working label Oct 16, 2024
@bergernir
Copy link
Author

This exception happens on any package that contains the next CVE: "CVE-2024-5535".

@wagoodman wagoodman moved this to In Progress in OSS Oct 21, 2024
@willmurphyscode
Copy link
Contributor

Hi @bergernir thanks for the report!

I'm trying to investigate, and I haven't been able to trigger this error behavior. It looks like you're scanning a particular Alpine image with libssl or openssl installed? Can you share any more details that might help us reproduce the issue? For example, a link to a public image that exhibits the issue, or a snippet of Dockerfile that can be used to build an image that triggers the issue would be a big help. What version of Alpine? What version of OpenSSL? Even an alpine version and the apk add command that triggers this issue would probably be enough.

Also, I have a few questions that will help me understand and fix the bug:

  1. Does the issue happen on the latest version of grype 0.82.0 as of this writing?
  2. Does the issue still happen with today's vulnerability database (that is, after grype db update)?
  3. Are you running grype directly on an image?
  4. What version of alpine and openssl are present in the image?

You mentioned that this is the same issue as #2048, but the Dockerfile snippet from that image scans fine for me.

I'll keep investigating regardless, but a few more details would be a big help. Thanks!

@bergernir
Copy link
Author

Hi @willmurphyscode, thanks for your assistance.
Yesterday, we updated the Grype version from 0.80.2 to 0.82.1 and this error message has been stopped.

@willmurphyscode
Copy link
Contributor

Thanks for letting us know!

@willmurphyscode willmurphyscode closed this as not planned Won't fix, can't repro, duplicate, stale Oct 23, 2024
@github-project-automation github-project-automation bot moved this from In Progress to Done in OSS Oct 23, 2024
@de4Ru
Copy link

de4Ru commented Oct 31, 2024

Hello,
I'm facing the same issue with grype 0.83.0
[0222] ERROR failed to inflate vulnerability record (by language): failed to parse constraint='>=1.7.0,<1.9.0ubuntu1.2' format='Python': unable to parse pep440 constrain phrase failed to create comparator for '&{< 1.9.0ubuntu1.2}': unable to parse

@willmurphyscode
Copy link
Contributor

Hi @de4Ru - the issue you're facing is with Python packages, not APKs, so I made it it's own issue, #2229, but the error messages do look very similar. Thanks for the report! Please follow #2229 for updates.

@tomersein
Copy link
Contributor

@willmurphyscode I think this is a good subject to discuss in the OSS weekly chat.. how to monitor bad values are not getting inside the DB and causes failures. maybe worth running a script which will check the version meeting the constraints of the versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

No branches or pull requests

4 participants