Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: disable CPE-based matching for GHSA ecosystems by default #1412

Merged

Conversation

westonsteimel
Copy link
Contributor

@westonsteimel westonsteimel commented Aug 2, 2023

Disables CPE-based matching for ecosystems which are covered by GitHub Security Advisories. Also adds a separate rust matcher and related configuration to allow configuring CPE-based matching off for rust packages while still leaving it enabled for anything falling into the stock matcher.

Fixes: #811

@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 4 times, most recently from c35f935 to 288021a Compare August 4, 2023 15:47
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 7 times, most recently from dd2da98 to 61c6c61 Compare August 18, 2023 19:48
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 6 times, most recently from 0ceb397 to 0e973a0 Compare August 21, 2023 18:36
@westonsteimel westonsteimel marked this pull request as ready for review August 22, 2023 11:47
@westonsteimel westonsteimel requested a review from a team August 22, 2023 11:47
@spiffcs spiffcs added the blocked Progress is being stopped by something label Aug 22, 2023
@spiffcs
Copy link
Contributor

spiffcs commented Aug 22, 2023

Added blocked for now so that we investigate the quality gate a bit more to see why this is passing when we expect a failure given the number of false negatives

@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 4 times, most recently from 859ab71 to c54f2b5 Compare September 13, 2023 09:41
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch 4 times, most recently from c04ff06 to 005b0eb Compare September 25, 2023 13:50
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch from 005b0eb to 5925a17 Compare September 29, 2023 07:29
Disables CPE-based matching for ecosystems which are covered by GitHub
Security Advisories.  Also adds a separate rust matcher and related
configuration to allow configuring CPE-based matching off for it while
still leaving it on for the stock matcher.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel westonsteimel force-pushed the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch from 5925a17 to 2440dd3 Compare October 11, 2023 08:43
@wagoodman wagoodman removed the blocked Progress is being stopped by something label Oct 12, 2023
@wagoodman wagoodman merged commit 25762b7 into main Oct 12, 2023
8 of 9 checks passed
@wagoodman wagoodman deleted the disable-cpe-matching-by-default-for-ghsa-covered-ecosystems branch October 12, 2023 13:07
spiffcs added a commit that referenced this pull request Oct 19, 2023
* main: (137 commits)
  chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#1564)
  Add --ignore-states flag for ignoring findings with specific fix states (#1473)
  feat: update go-sarif library to use latest release (#1563)
  bump clio to get stderr reporting fix (#1561)
  chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.2 to 1.4.3 (#1558)
  chore(deps): bump github.com/charmbracelet/lipgloss from 0.9.0 to 0.9.1 (#1557)
  Add checksum signing (#1535)
  chore(deps): bump golang.org/x/net from 0.16.0 to 0.17.0 (#1554)
  feat: disable CPE-based matching for GHSA ecosystems by default (#1412)
  chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#1552)
  chore(deps): update Syft to v0.93.0 (#1550)
  chore(deps): bump gorm.io/gorm from 1.25.4 to 1.25.5 (#1547)
  chore(deps): bump github.com/charmbracelet/lipgloss from 0.8.0 to 0.9.0 (#1548)
  chore(deps): bump github.com/hashicorp/go-getter from 1.7.2 to 1.7.3 (#1549)
  chore(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#1544)
  fix: empty descriptor name and version (#1542)
  chore: removes unnecessary conditional (#1539)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.10 to 0.4.11 (#1533)
  chore(deps): update Syft to v0.92.0 (#1527)
  chore(deps): update bootstrap tools to latest versions (#1524)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

feat: use ghsa to improve matching for cpes
3 participants