-
Notifications
You must be signed in to change notification settings - Fork 594
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simplify v6 distribution material #2277
Conversation
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
6c41fd6
to
ba4a2b4
Compare
grype/db/v6/enumerations.go
Outdated
@@ -57,6 +60,11 @@ const ( | |||
NotAffectedFixStatus FixStatus = "not-affected" | |||
) | |||
|
|||
const ( | |||
// AdvisoryReferenceTag is a reference to a vulnerability advisory | |||
AdvisoryReferenceTag string = "advisory" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should there be more of these?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A reference tag is a string we expect to be used often to tag a reference in https://github.com/anchore/grype/blob/main/grype/db/v6/blobs.go#L51.
What's an Advisory exactly? For example, a Red Hat Security Advisory (RHSA) is a list of patches, but a GitHub Security Advisory is a vulnerability description. Is advisory
the right tag name? What kind of links or going to be tagged with this tag name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'll add these in another PR, but agree with the overall question
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
FYI, I re-ran the acceptance tests because they failed after a small commit with |
} | ||
} | ||
// override the checksum validation setting to ensure the checksum is always validated | ||
digest, validateErr := c.validate(true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this makes it so grype db status
always validates the checksum, so that it can report if the db has been edited since it was fetched. Is that right?
If so, minor nit, the comment should say something like "grype db status
should always validate"; right now the comment doesn't tell me why we're not passing the config setting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
righto -- I'll incorporate into another followup PR (this was automerged)
This PR makes adjustments to the v6 schema + supporting code from previous PRs, specifically:
latest.json
file flat (no nested objects)This PR also introduces the ability to import both v6 and v5 schemas at once (since import now functions in both contexts) which requires disabling the static analysis check for
cross-import of schemas
.