Skip to content

feat: enable more OSV ecosystems#869

Closed
i-bs wants to merge 2 commits intoanchore:mainfrom
i-bs:main
Closed

feat: enable more OSV ecosystems#869
i-bs wants to merge 2 commits intoanchore:mainfrom
i-bs:main

Conversation

@i-bs
Copy link
Copy Markdown

@i-bs i-bs commented Feb 8, 2026
edited
Loading

  • Alpaquita
  • BellSoft Hardened Containers

fix: conjunction-ed constraints must be comma-delimetered

Note: in couple with anchore/vunnel#924

i-bs added 2 commits February 9, 2026 03:13
@i-bs
fix: conjunction-ed constraints must be comma-delimetered
f3b61f5 
Signed-off-by: Ildar Mulyukov <ildar.mulyukov@bell-sw.com>
@i-bs
feat: enable more OSV ecosystems
7e8c093 
* Alpaquita
* BellSoft Hardened Containers

Signed-off-by: Ildar Mulyukov <ildar.mulyukov@bell-sw.com>
@i-bs
Copy link
Copy Markdown
Author

i-bs commented Feb 8, 2026

@willmurphyscode , plz check

@i-bs i-bs mentioned this pull request Feb 8, 2026
Open
@willmurphyscode willmurphyscode self-assigned this Feb 9, 2026
wagoodman
wagoodman reviewed Feb 10, 2026
View reviewed changes
Comment thread pkg/process/internal/common/constraint.go

func AndConstraints(c ...string) string {
return strings.Join(c, " ")
return strings.Join(c, ", ")
Copy link
Copy Markdown
Contributor

@wagoodman wagoodman Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not certain I understand this change, which is the reason why tests are failing

Copy link
Copy Markdown
Contributor

@wagoodman wagoodman Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

--- FAIL: TestTransform (0.00s)
    transform_test.go:302: data entries mismatch (-want +got):
          []transformers.RelatedEntries{
                {
                        VulnerabilityHandle: &{Name: "BIT-apache-2020-11984", Status: "active", PublishedDate: &s"2024-03-06 10:57:57.77 +0000 UTC", ModifiedDate: &s"2025-01-17 15:26:01.971 +0000 UTC", ...},
                        Provider:            nil,
                        Related: []any{
                                v6.AffectedPackageHandle{
                                        ... // 6 identical fields
                                        Package: &{Ecosystem: "Bitnami", Name: "apache"},
                                        BlobID:  0,
                                        BlobValue: &v6.PackageBlob{
                                                CVEs:       {"CVE-2020-11984"},
                                                Qualifiers: nil,
                                                Ranges: []v6.Range{
                                                        {
                                                                Version: v6.Version{
                                                                        Type:       "bitnami",
        -                                                               Constraint: ">=2.4.32,<=2.4.43",
        +                                                               Constraint: ">=2.4.32,,<=2.4.43",
                                                                },
                                                                Fix: nil,
                                                        },
                                                },
                                        },
                                },
                        },
                },
          }

Copy link
Copy Markdown
Author

@i-bs i-bs Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wagoodman , thanks for looking into this.

  1. the reason is here: providers: add BellSoft OSV provider vunnel#924 (comment)
  2. the test is easy to fix, I'll push the fix soon. But before that I wanted @willmurphyscode to take a look.

@wagoodman
Copy link
Copy Markdown
Contributor

wagoodman commented Feb 11, 2026

just a heads up -- we've ported much of the lib code to grype. This PR was a little up in the air, so I did not port it over. Sorry for any hassle!

@willmurphyscode
Copy link
Copy Markdown
Contributor

willmurphyscode commented Feb 11, 2026

Hi @i-bs we are moving this transformer logic into grype and will end up changing some other things as well. In particular, there are several in flight vunnel providers (yours, CRAN, openEuler, probably others) that all put pressure on this transformer. I think rather than asking each contributor to make separate competing fixes to the OSV transformer, I'm going to take some time to make sure it correctly processes OSV output from these upcoming vulnerability providers. Please be patient with me! This takes some coordination between different repos and PRs.

Given that, I think it makes sense to close this PR, and I'll let you know if I need any changes on anchore/vunnel#924

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman left review comments

Assignees

@willmurphyscode willmurphyscode

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@i-bs @wagoodman @willmurphyscode