You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What would you like to be added:
Clear feedback that a package will never match anything Grype knows about.
Why is this needed:
A user can identify potential security issues in cases when Grype does not report vulnerabilities.
Additional context:
When scanning certain sources, such as openSUSE, Grype cannot match the RPM entries because there is no namespace in the database for it. As an example, if we scan with:
grype opensuse/leap:15.0 -vv
Grype does not have a namespace for openSUSE and the RPM records are effectively skipped. When running with debug logging, we see messages like this:
[0008] DEBUG no vulnerability namespaces found in grype database for distro=opensuseleap 15.0 package=perl
This is because the RPM type has a specific matcher that knows how to handle entries for specific distros, but not for this distro. It's possible the entries could be attempted by a different matcher, but in this case they aren't, and it would be good to know with some sort of more clear message that this package is never going to match anything, perhaps by some indication from each matcher attempted that it is skipped rather than just has 0 vulnerabilities.
The text was updated successfully, but these errors were encountered:
What would you like to be added:
Clear feedback that a package will never match anything Grype knows about.
Why is this needed:
A user can identify potential security issues in cases when Grype does not report vulnerabilities.
Additional context:
When scanning certain sources, such as openSUSE, Grype cannot match the RPM entries because there is no namespace in the database for it. As an example, if we scan with:
Grype does not have a namespace for openSUSE and the RPM records are effectively skipped. When running with debug logging, we see messages like this:
This is because the RPM type has a specific matcher that knows how to handle entries for specific distros, but not for this distro. It's possible the entries could be attempted by a different matcher, but in this case they aren't, and it would be good to know with some sort of more clear message that this package is never going to match anything, perhaps by some indication from each matcher attempted that it is skipped rather than just has 0 vulnerabilities.
The text was updated successfully, but these errors were encountered: