Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix: match OpenSSL letter releases #2682

Merged
merged 2 commits into from
Feb 29, 2024
Merged

fix: match OpenSSL letter releases #2682

merged 2 commits into from
Feb 29, 2024

Conversation

harmw
Copy link
Contributor

@harmw harmw commented Feb 29, 2024
edited
Loading

This should resolve #2681

Original results using syft:v0.105.1:

 ✔ Loaded image                                                                          openresty/openresty:1.25.3.1-2-alpine
 ✔ Parsed image                                        sha256:b1cb45b1556801b8cb1bc29ea78faf2eaf67926a37b052dd070866e44d7df07a
 ✔ Cataloged contents                                         db4ad5d00580ca709b0423af26df39b23d48a1b792fea8ede029a1e412776470
   ├── ✔ Packages                        [52 packages]
   ├── ✔ File digests                    [403 files]
   ├── ✔ File metadata                   [403 locations]
   └── ✔ Executables                     [125 executables]

Scan:

 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [54 vulnerability matches]
   ├── by severity: 3 critical, 13 high, 36 medium, 2 low, 0 negligible
   └── by status:   4 fixed, 50 not-fixed, 0 ignored

Create SBOM using syft from this branch:

export DOCKER_HOST="unix://${HOME}/.colima/default/docker.sock"

./dist/darwin-build_darwin_arm64/syft packages docker:openresty/openresty:1.25.3.1-2-alpine -o spdx-json --file 2681.spdx.json
Command "packages" is deprecated, use `syft scan` instead
Flag --file has been deprecated, use: output
 ✔ Loaded image                                                                          openresty/openresty:1.25.3.1-2-alpine
 ✔ Parsed image                                        sha256:b1cb45b1556801b8cb1bc29ea78faf2eaf67926a37b052dd070866e44d7df07a
 ✔ Cataloged contents                                         db4ad5d00580ca709b0423af26df39b23d48a1b792fea8ede029a1e412776470
   ├── ✔ Packages                        [52 packages]
   ├── ✔ File digests                    [403 files]
   ├── ✔ File metadata                   [403 locations]
   └── ✔ Executables                     [125 executables]

Scan again:

 % docker run --rm -it -v ${PWD}:/work -v ~/.grype/cache:/.cache/grype anchore/grype:v0.74.4 sbom:/work/2681.spdx.json -o sarif --file /work/scan.sarif
 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [24 vulnerability matches]
   ├── by severity: 0 critical, 4 high, 20 medium, 0 low, 0 negligible
   └── by status:   4 fixed, 20 not-fixed, 0 ignored

@harmw harmw changed the title chore: match OpenSSL letter releases fix: match OpenSSL letter releases Feb 29, 2024
harmw added 2 commits February 29, 2024 13:10
@harmw
chore: match openssl 1.1 letter releases
ac5e799 
Signed-off-by: Harm Weites <harm@weites.com>
@harmw
chore: include image sha
43f8b72 
Signed-off-by: Harm Weites <harm@weites.com>
@wagoodman wagoodman enabled auto-merge (squash) February 29, 2024 14:34
@wagoodman wagoodman merged commit 356f7c9 into anchore:main Feb 29, 2024
11 checks passed
@harmw harmw deleted the openssl111 branch February 29, 2024 14:45
@BrewTestBot BrewTestBot mentioned this pull request Feb 29, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OpenSSL binary matcher fails to properly detect letter releases
2 participants
@harmw @wagoodman