Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: adds ignore rules for kernel-headers indirect matches #1787

Merged
merged 3 commits into from
Apr 15, 2024
Merged

fix: adds ignore rules for kernel-headers indirect matches #1787

merged 3 commits into from
Apr 15, 2024

Conversation

zhill
Copy link
Member

@zhill zhill commented Apr 4, 2024
edited by kzantow
Loading

Adds ignoring of kernel-headers indirect matches on kernel vulns since the kernel-headers package does not have the kernel code in it that kernel vulns are actually referring to.

Adds a config value to control this ignore behavior that defaults to enabling the ignore rules.

Fixes: #1762

  • Adds ignore rule support for match types and upstream package names.
  • Adds default ignore rules for kernel-headers indirect matches on kernel for rpms.

@zhill
Copy link
Member Author

zhill commented Apr 4, 2024

Opening as a draft for initial feedback. I'll address any concerns in UX, testing, etc and then move it to ready for review

spiffcs
spiffcs reviewed Apr 5, 2024
View reviewed changes
Copy link
Contributor

@spiffcs spiffcs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @zhill - I took a look and like this approach of using the built in ignore rules as the hook for this option.

I'll take a look this afternoon at what unit tests should look like for this feature.

I also noted that the quality gate is now failing with this PR so will examine to see how I can help fix that for you as well.

kzantow
kzantow reviewed Apr 8, 2024
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this looks pretty good to me

cmd/grype/cli/options/grype.go Outdated Show resolved Hide resolved
grype/match/ignore.go Show resolved Hide resolved
cmd/grype/cli/options/grype.go Outdated Show resolved Hide resolved
@zhill
Copy link
Member Author

zhill commented Apr 10, 2024

Thanks for the PR @zhill - I took a look and like this approach of using the built in ignore rules as the hook for this option.

I'll take a look this afternoon at what unit tests should look like for this feature.

I also noted that the quality gate is now failing with this PR so will examine to see how I can help fix that for you as well.

Ack, yes I knew the quality gate would need work once i get 👍 on the approach. Happy to resolve that once we're good on the things like option naming and rule details.

@zhill zhill force-pushed the zhill/ignore-kernel-headers-1762 branch 2 times, most recently from 7846d96 to c068ba7 Compare April 11, 2024 00:18
@zhill
Copy link
Member Author

zhill commented Apr 13, 2024

I've added tests and I have a pr for the quality tests: anchore/vulnerability-match-labels#132

What's the process for getting the quality to pass? Do I wait for that to merge and then update the submodule to that commit in main?

@zhill zhill force-pushed the zhill/ignore-kernel-headers-1762 branch from 9e21c34 to 7d8e8b4 Compare April 13, 2024 21:12
@zhill zhill marked this pull request as ready for review April 13, 2024 21:12
@willmurphyscode
Copy link
Contributor

@zhill I've approved anchore/vulnerability-match-labels#132.

What's the process for getting the quality to pass? Do I wait for that to merge and then update the submodule to that commit in main?

I'd recommend updating the submodule in this branch. It's also fine to update the submodule in main in a separate PR, and merge/rebase that change into this PR, but in the case where the set of expected matches changes, like in this case, it's possible that a PR to main that changes labels will fail, because it's missing the logic in this PR. Does that make sense?

@zhill
fix: adds ignore rules for kernel-headers indirect matches
ba44f20 
Adds ignoring of kernel-headers indirect matches on kernel vulns
since the kernel-headers package does not have the kernel code in it
that kernel vulns are actually referring to.

Adds a config value to control this ignore behavior that defaults to
enabling the ignore rules.

Fixes: 1762

* Adds ignore rule support for match types and upstream package names.
* Adds default ignore rules for kernel-headers indirect matches on kernel
for rpms.

Signed-off-by: Zach Hill <zach@anchore.com>
@zhill zhill force-pushed the zhill/ignore-kernel-headers-1762 branch from 7d8e8b4 to ba44f20 Compare April 15, 2024 18:21
@zhill zhill requested a review from kzantow April 15, 2024 18:24
@zhill
chore: add match-upstream-kernel-headers config to README.md
b185da4 
Signed-off-by: Zach Hill <zach@anchore.com>
@kzantow kzantow mentioned this pull request Apr 15, 2024
Merged
@kzantow
chore: update match labels
f4b6886 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
kzantow
kzantow approved these changes Apr 15, 2024
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@zhill zhill merged commit a7cbe3a into main Apr 15, 2024
10 checks passed
@zhill zhill deleted the zhill/ignore-kernel-headers-1762 branch April 15, 2024 20:29
@BrewTestBot BrewTestBot mentioned this pull request Apr 15, 2024
Merged
@zhill zhill mentioned this pull request Apr 17, 2024
Merged
@spiffcs spiffcs mentioned this pull request Apr 18, 2024
Closed
@popey popey mentioned this pull request Nov 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs left review comments

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@zhill @willmurphyscode @kzantow @spiffcs