-
Notifications
You must be signed in to change notification settings - Fork 600
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
grype v0.71.0 stopped showing vulnerabilities for Go stdlib #1562
Comments
Regarding CVE-2023-44487, we've also noticed that this is happening after upgrading Grype from Setting As a note, we tried to use |
I can confirm same behavior since |
Seems to be caused by this change; defaults for using CPEs to match vulnerabilities has been changed for Java, Dotnet, Golang, Javascript, Python, Ruby and Rust: v0.70.0...v0.71.0#diff-2ef22c527f0a8b6e3af2cc896fac4a1356a1bb57be37773e0e57f059f8db5464R21 |
Correct, we have disabled CPE matching by default except for the stock matcher (which is used when there is not a specific way to search for the given package type). You can override this behavior with a
The reasoning and benefits for changing the default behavior is described here https://anchore.com/blog/say-goodbye-to-false-positives/ , shout out if you have any questions about this! In terms of the golang stdlib matching described in this issue, I'll be adding an exception for this case in a upcoming PR (writing the tests now). |
@visomar @jiri-muller can you provide additional details to help reproduce the issue (an artifact or an SBOM snippet to help reproduce the issue) and open up new issues to track? This issue describes a specific case for the |
Thanks for the explanation and link @wagoodman ! |
@wagoodman Thank you, I have created dedicated issue: #1568 |
What happened:
grype v0.70.0 enabled go stdlib matching (#1550).
In grype v0.71.0 the go stdlib vulnerabilities no longer appear by default. Adding
match.golang.using-cpes: true
seems to return this behavior.What you expected to happen:
Expected the same behavior in grype v0.71.0 as was introduced in v0.70.0
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
Output of
grype version
:OS (e.g:
cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: