move sample data into grype-db project; conditionally emit almalinux->rhel alias on absence of almalinux specific data #592
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9636a97 to
c4a7996
Compare
c48aeaa to
1307a73
Compare
willmurphyscode
commented
Aug 29, 2025
pkg/process/v6/writer.go
Outdated
| } | ||
|
|
||
| // populateInitialOverrides populates the database with initial OS and package specifier overrides | ||
| func (w *writer) populateInitialOverrides() error { |
There was a problem hiding this comment.
note to self: does this do anything to remove aliases put in by grype in https://github.com/anchore/grype/blob/main/grype/db/v6/data.go#L10? Need to think about release safety - should be able to go out before or after corresponding grype change.
4718c6e to
db87ae9
Compare
Signed-off-by: Will Murphy <[email protected]>
Because it is unknown at compile time whether running `grype-db pull` will execute a RHEL provider that emits AlmaLinux vulnerabilities as well, and because if grype has neither the AlmaLinux specific vulnerabilities nor the alias, matching on AlmaLinux systems will be very incorrect, detect and db build time whether there are AlmaLinux vulnerabilities present and emit the AlmaLinux->RHEL alias if they are not. Signed-off-by: Will Murphy <[email protected]>
Otherwise, for grype-db to conditionally add aliases, such as aliasing almalinux to RHEL if no almalinux data is available from Vunnel, grype-db will be modifying hard-coded data that exists in grype. Signed-off-by: Will Murphy <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
This is a cleaner implementation, rather than writing the alias data initially and then correcting it, just write it once, late enough in the build that alma vulnerabilities will already be in the database or not. Signed-off-by: Will Murphy <[email protected]>
db87ae9 to
aecfb15
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is part of work for anchore/grype#2745
This is a workaround necessitated by the approached taken in anchore/vunnel#826. That PR makes the vunnel RHEL provider sometimes emit AlmaLinux vulns in addition to RHEL vulns, which Grype DB previously had no code to handle.