-
Notifications
You must be signed in to change notification settings - Fork 575
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
list of unrelated versions in the remediation #2264
Comments
This appears to be working as I would expect. This is the new JVM cataloguer in syft, and there is currently no better source than NVD CPE based matches for that. This is a record I have manually enriched in our cve-data-enrichment repo. It is showing you every possible known fixed version for openjdk that we are aware of. So for the 17.x series the known fix is 17.0.12. |
hi @westonsteimel , thanks for your answer! can you elaborate on the JVM cataloger? isn't it working like java cataloger? isn't github advisory more accurate? let me know what do you think |
I'll let @wagoodman speak on the specific details of the JVM cataloguer, but the GitHub data does not include the Java jdk or jre environments, only maven like packages so it cannot be used for this. |
currently there is not a way to make the fixed version for that specific match only show 17.x because of the way all of the NVD processing works, but we are working on improving this with work that is ongoing for the grype dB v6 schema, but it is a significant amount of change compared to previous schemas so will take some time to get all of the pieces in place to start using it |
also, we do think there needs to be a way to show what the fixes are for newer release lines of a product since it may be desirable to jump to a newer release than the one you are currently on and there is no way to see this without querying the db for instance for the GitHub records. So ideally we'd have a way to show the "nearest" fix as well as a way to show all of the fixes greater than current, and eventually I'd also like a way to show the newest possible release of a package, but that is a stretch goal |
perhaps a temporary path forward could be to do version comparisons on the available fixes from the grype db and only show ones that are greater than the current package version in the results or something like that? |
So for the above match it would end up just showing 17.0.12, 21.0.4, 22.0.2 |
hi @westonsteimel , |
@tomersein can you help me understand why you think these versions are "unrelated"? These lower versions are other fixes for the JVM that some other users might be interested in. |
Hi @spiffcs ! as an end user, it doesn't make any sense to upgrade to the above versions, they are out of context. I want to make the results more focused so action items can be made once a vulnerability is found. what do you think? :) |
@spiffcs , just FYI I suggested this approach in #2264 (comment) |
We know what version of the package we've matched against, I think by default it doesn't make sense to show fixes that are < the currently installed version. This happens automatically though also somewhat accidentally today for the GitHub entries due to the way that data is structured and stored in grype db, but isn't possible for NVD. And I think in future we want to be able to display all relevant fixes that are greater than the current installed version across all package types anyways (I think this should be possible in v6 of grype db) |
Discussion topicRight now, Grype shows all fixed versions, even in table output: grype/grype/presenter/table/presenter.go Line 186 in e17dd0c
This is not ideal, because if a fix has been back-ported, Grype's table output will include suggestions to downgrade. I think there are a few approaches that might make sense:
Of course, this could also be made configurable. Edit: this issue is very similar to #2253; they should probably be discussed together. Thanks for the PR @tomersein - once we've had a chance to discuss, we'll provide additional feedback on it. |
hi! if i can share my opinion:
|
What happened:
Hello!
I've scanned an image using grype 0.84.0, and received the below CVE.
The problem is, that my package is version 17.0.2, and in the fixed versions some of the versions doesn't really to be related to the actual remediation.
I have 2 questions regarding this issue:
let me know if you need any additional information :)
What you expected to happen:
provide only related versions
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
grype version
: 0.84.0cat /etc/os-release
or similar): macThe text was updated successfully, but these errors were encountered: