feat: RHEL CSAF provider #758
Conversation
Add a new provider, rhel_csaf, that downloads rhel vulnerability data from the CSAF VEX JSON that RedHat publishes. Move the existing rhel provider to rhel_legacy. Add a top-level rhel provider that can be configured to delegate to rhel_legacy or rhel_csaf. Add some dataclasses to deserialize CSAF JSON into. Signed-off-by: Will Murphy <[email protected]>
willmurphyscode
added
the
run-pr-quality-gate
|
Looks like this failed with no space left on device: https://github.com/anchore/vunnel/actions/runs/12682455877/job/35347881901?pr=758#step:4:1848 |
|
re: no space, you can use and |
| if not parent: | ||
| # TODO: log a warning - got a leaf product with no parent distro or module | ||
| continue | ||
| grand_parent = csaf.product_tree.parent(parent or "NONE") |
There was a problem hiding this comment.
This is probably wrong. Why not None?
| @@ -223,7 +223,9 @@ tests: | |||
| - docker.io/anchore/test_images:appstreams-rhel-8-1a287dd@sha256:524ff8a75f21fd886ec7ed82387766df386671e8b77e898d05786118d5b7880b | |||
| - docker.io/anchore/test_images:vulnerabilities-centos@sha256:746d31247006cc06434ce91ccf3523b2c230ff6c378ffed7ca1c60bbb48ea86f | |||
| validations: | |||
| - *default-validations | |||
| - <<: *default-validations | |||
| max_f1_regression: 0.09 | |||
There was a problem hiding this comment.
We really don't want to do this. We need to investigate the particular false positive in the quality gate:
grype[custom-db]@v0.86.1-14-g67ac96f ONLY mariadb-common@3:10.3.28-1.module_el8.3.0+757+d382997d CVE-2021-27928 FalsePositive (this is a new FP 😱)
grype[custom-db]@v0.86.1-14-g67ac96f ONLY mariadb@3:10.3.28-1.module_el8.3.0+757+d382997d CVE-2021-27928 FalsePositive (this is a new FP 😱)
I think we should investigate fixing grype's version comparison so that RPM version 3:10.3.28-1.module_el8.3.0+757+d382997d compares as equal to 3:10.3.28-1.module+el8.3.0+10472+7adc332a rather than less. Then neither reference nor candidate will find this CVE.
Specifically https://github.com/anchore/grype/blob/ed98490e966cf215eb785395fe80b79f99e420fa/grype/version/rpm_version.go#L99-L105
This needs to be smarter to understand that centOS and RedHat build numbers are not comparable, so 1.module+el8.3.0 and not 1.module+el8.3.0+10472+7adc332a is the string being compared. Probably a new compareRelease function instead of calling compareVersion again.
Otherwise, the RHEL CSAF provider runs out disk space. Signed-off-by: Will Murphy <[email protected]>
Add a new provider, rhel_csaf, that downloads rhel vulnerability data from the CSAF VEX JSON that RedHat publishes. Move the existing rhel provider to rhel_legacy. Add a top-level rhel provider that can be configured to delegate to rhel_legacy or rhel_csaf. Add some dataclasses to deserialize CSAF JSON into.
Fixes #323
skip_if_exists