Comments (2)
Hi, is this ticket ready to be worked on? If so, I'm interested in taking a look
from grype.
@dandandy there is work ready to be picked up, but not in grype
quite yet.
Specifically, grype
uses syft
in order to discover packages... the work that needs to be done first is to add new catalogers to syft
to to be able to discover packages from these new sources for pacman and pipenv. I've created a couple of new issues to encapsulate that work: anchore/syft#241 and anchore/syft#242 .
As for adding a new cataloger into syft, let's take pipenv as an example. Pipenv is a cataloger for "index" files which we actively look for when scanning directories and not images. To add a new index cataloger you'd need to:
- create a new parser function that can parse a
pipfile.lock
and return a set of packages (for an example, here is the parser function for requirements.txt files) - wire up that parser to the existing index cataloger with the corresponding
**/Pipfile.lock
glob: https://github.com/anchore/syft/blob/main/syft/cataloger/python/index_cataloger.go#L12-L16 - add unit tests to cover the parser function
Happy to answer any questions on this work (reach out on those tickets or on the #toolbox-dev slack channel for more realtime conversation)!
from grype.
Related Issues (20)
- feature: table output for --fail-on should only print vulnerabilities equal to or above the severity passed
- False positive: GHSA-g3rq-g295-4j3m (CVE-2020-28493) python3-Jinja2 in SLES 15.5 Ecosystem HOT 2
- Does grype support openeuler system? HOT 2
- Grype report showing wrong installed version for commons-beanutils jar. HOT 3
- Convenient support for db downloads from artifactory. HOT 2
- Filter output by severity HOT 3
- Merge Configuration Files HOT 6
- False Positive: GHSA-248v-346w-9cwc/(CVE-2024-39689) reported for certifi library in python HOT 2
- False negatives on Java org.webjars/bootstrap and org.webjars/jquery HOT 3
- Fail if explicitly specified config file is absent HOT 1
- Update operations are non atmoic across processes HOT 1
- Grype should expand `~` in paths in config file HOT 1
- Top level `output` config should only affect grype root command HOT 1
- Different results scanning PHP SBOMs generated by cdxgen and Syft HOT 1
- Ignoring search results when CPE is not set in the SBOM HOT 1
- Scan specific file
- Noisy INFO logs on scanning composer.lock SBOM generated by Syft
- Failed to parse constraint of CVE-2024-6345 which fails the scan HOT 6
- Check for stale DB on quality gate runs
- Grype only supports SKOPEO when using 'docker-archive' format. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grype.