-
Notifications
You must be signed in to change notification settings - Fork 602
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
some non-PEP440 version constraints for GHSA python packages in grype-db #2229
Comments
I've added First, it was specifically requested (for similar issue #2195) on discourse, and second, there are a few aspects to the right approach here: Upstream data vendors can (and do) publish data that doesn't conform to what we'd expect (in this case a version string that seems not to be PEP440 compliant on a python package, or a version string for an APK package that doesn't conform to what that tooling expects in the case of #2195), so there are a few things we could do when seeing data like this:
The discussion is to explore these options and try to agree on some next steps. |
We should look into 3 & 4:
|
Specifically on apk it is important that we can do both apk to apk comparisons and the upstream to apk comparisons since we use NVD + fix feed. So upstream version 1.5.0 should be considered equal to alpine version 1.5.0-r0, etc. That will also become important with the enriched data which will be brought in with v6 grype db schema, because we'll want to be able to dow things like compare a deb package version from the sbom with an upstream semantic version directly. I did some testing and this seems to work at the moment, so just need to ensure we don't somehow break that with any changes |
The next step is to build options 3 and 4 from #2229 (comment) into Grype. |
Hello,
I'm facing the same issue with grype 0.83.0
[0222] ERROR failed to inflate vulnerability record (by language): failed to parse constraint='>=1.7.0,<1.9.0ubuntu1.2' format='Python': unable to parse pep440 constrain phrase failed to create comparator for '&{< 1.9.0ubuntu1.2}': unable to parse
Originally posted by @de4Ru in #2195 (comment)
edit: here's an example of the records that can't be inflated:
against a current grype db produces:
The text was updated successfully, but these errors were encountered: