Draft: add BellSoft family of OS#3264
Conversation
|
coupled with anchore/vunnel#924 |
Alpaquita Linux BellSoft Hardened Containers Signed-off-by: Ildar Mulyukov <ildar.mulyukov@bell-sw.com>
Signed-off-by: Ildar Mulyukov <ildar.mulyukov@bell-sw.com>
enable OSV ecosystems: * Alpaquita * BellSoft Hardened Containers Signed-off-by: Ildar Mulyukov <ildar.mulyukov@bell-sw.com>
| aphs = append(aphs, db.AffectedPackageHandle{ | ||
| Package: bellsoftPackage(affected.Package), | ||
| BlobValue: &db.PackageBlob{ | ||
| CVEs: vuln.Aliases, // FIXME: should be `vuln.Upstream` |
There was a problem hiding this comment.
upstream field is not supported in the "github.com/google/osv-scanner/pkg/models"
There was a problem hiding this comment.
I don't understand this comment. Can you elaborate a bit?
There was a problem hiding this comment.
sure.
https://ossf.github.io/osv-schema/#upstream-field
it is advised to use it for a "root" CVE. But the "github.com/google/osv-scanner/pkg/models" structures do not have it (yet).
willmurphyscode
left a comment
There was a problem hiding this comment.
I had a few inline comments.
This needs some dbtest style matching behavior unit tests before it can be merged. #3418 has some examples, and some other recent PRs. These unit tests are also a great way to get a sense of whether matching works end to end or not.
| } | ||
|
|
||
| func AndConstraints(c ...string) string { | ||
| return strings.Join(c, " ") |
There was a problem hiding this comment.
This change isn't correct, for example you can see it breaks unit tests for another OSV provider: https://github.com/anchore/grype/actions/runs/25853467114/job/76529191535?pr=3264#step:4:108
I think the arguments passed to AndConstraint are wrong in the BellSoft case?
There was a problem hiding this comment.
this is to fix anchore/vunnel#924 (comment)
The fix is incomplete/incorrect and need to be fixed in its order.
| CentOS Type = "centos" | ||
| Fedora Type = "fedora" | ||
| Alpine Type = "alpine" | ||
| Alpaquita Type = "alpaquita" |
There was a problem hiding this comment.
Can you help me understand the relationship between alpaquita and bellsoft hardened containers? It looks like they're both in OSV but with overlap and the same vendor prefix? https://osv.dev/list?ecosystem=Alpaquita and https://osv.dev/list?ecosystem=BellSoft+Hardened+Containers ?
It looks like their two different distros and we should just model them as two different distros, and their relationship is just that the same company works on them?
| return strings.HasPrefix(id, "BELL-") | ||
| } | ||
|
|
||
| func (bellsoftStrategy) Transform(vuln unmarshal.OSVVulnerability, state provider.State) ([]data.Entry, error) { |
There was a problem hiding this comment.
This needs some unit tests asserting what the results of this transformation are. transform_bellsoft_test.go should be added.
| aphs = append(aphs, db.AffectedPackageHandle{ | ||
| Package: bellsoftPackage(affected.Package), | ||
| BlobValue: &db.PackageBlob{ | ||
| CVEs: vuln.Aliases, // FIXME: should be `vuln.Upstream` |
There was a problem hiding this comment.
I don't understand this comment. Can you elaborate a bit?
coupled with anchore/vunnel#924