Skip to content

feat: ignore overlapping fixed vulns for rpm + more#3326

Open
kzantow wants to merge 24 commits intoanchore:mainfrom
kzantow-anchore:feat/ignore-rpm-fixed
Open

feat: ignore overlapping fixed vulns for rpm + more#3326
kzantow wants to merge 24 commits intoanchore:mainfrom
kzantow-anchore:feat/ignore-rpm-fixed

Conversation

@kzantow
Copy link
Copy Markdown
Contributor

@kzantow kzantow commented Mar 30, 2026
edited
Loading

This PR is a follow-on to apply changes from #3286 and #3282 across other matchers. This PR (as well as the alternate implementation in #3304) have the result of fixing quite a lot of the reported SLES issues where we have fixed information for specific RPM packages but the Python or other language packages erroneously result in the same vulnerability.

An example using SLES 15.6 and urllib3 (with docker build -t suse-overlap:latest):

FROM registry.suse.com/suse/sle15:15.6
RUN zypper in -y --no-recommends python311-urllib3=2.0.7-150400.7.21.1

Based on the vulnerabilities in the Grype database for 15.6:

$ grype db search python311-urllib3 --distro sles:15.6   
VULNERABILITY   PACKAGE            ECOSYSTEM  NAMESPACE              VERSION CONSTRAINT       
CVE-2016-9015   python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2018-20060  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2019-11236  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2019-11324  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2019-9740   python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2020-26137  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2021-33503  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2023-43804  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2023-45803  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2024-37891  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.18.1  
CVE-2025-50181  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.21.1

Current grype reports:

$ grype -v suse-overlap:latest --by-cve -q | grep urllib3
urllib3                     2.0.7                  2.2.2                                                   python     CVE-2024-37891       Medium    0.3% (49th)    0.1    
urllib3                     2.0.7                  2.5.0                                                   python     CVE-2025-50181       Medium    < 0.1% (23rd)  < 0.1  
urllib3                     2.0.7                  2.6.0                                                   python     CVE-2025-66418       High      < 0.1% (9th)   < 0.1  
urllib3                     2.0.7                  2.6.0                                                   python     CVE-2025-66471       High      < 0.1% (8th)   < 0.1  
urllib3                     2.0.7                  2.6.3                                                   python     CVE-2026-21441       High      < 0.1% (7th)   < 0.1

This branch reports:

$ go run ./cmd/grype -v suse-overlap:latest --by-cve -q | grep urllib3
urllib3                     2.0.7                  2.6.0                                                   python     CVE-2025-66418       High      < 0.1% (9th)   < 0.1  
urllib3                     2.0.7                  2.6.0                                                   python     CVE-2025-66471       High      < 0.1% (8th)   < 0.1  
urllib3                     2.0.7                  2.6.3                                                   python     CVE-2026-21441       High      < 0.1% (7th)   < 0.1

Note the removal of:

urllib3                     2.0.7                   2.2.2                          python     CVE-2024-37891       Medium    0.3% (49th)    0.1    
urllib3                     2.0.7                   2.5.0                          python     CVE-2025-50181       Medium    < 0.1% (7th)   < 0.1

These 2 vulnerabilities are reported in the SUSE data as fixed.

Fixes: #3368

kzantow added 10 commits March 30, 2026 15:31
@kzantow
feat: ignore overlapping fixed vulns for rpm + more
1c26bb5 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: update tests
c9e50b1 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
fix: filterVulns should update version in match details
6907ec1 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
fix: vulnerability provider constraint creation without version speci…
445ca53 
…fied

Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
perf: make relationships by overlapping locations
cc44061 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
Merge remote-tracking branch 'upstream/main' into feat/ignore-rpm-fixed
15dfdd5
@kzantow
chore: update tests
31a562d 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: update match labels
840ea16 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
Merge remote-tracking branch 'upstream/main' into feat/ignore-rpm-fixed
a508b09
@kzantow
Merge remote-tracking branch 'upstream/main' into feat/ignore-rpm-fixed
31a8adf
@kzantow kzantow mentioned this pull request Apr 10, 2026
Open
kzantow and others added 5 commits April 10, 2026 18:39
@kzantow
fix: align vuln filter with vuln provider constraint filtering when e…
e5d3168 
…rror

Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
Merge remote-tracking branch 'upstream/main' into feat/ignore-rpm-fixed
a7a6e1c
@kzantow
fix: ensure unaffected packages are applied everywhere as ignore filters
465d0e8 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
fix: alma ignores & tests
ebd04e2 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@willmurphyscode
feat(os transformer): unaffected package handles
c389ebc 
Previously, vunnel dropped records in OS schema providers when the
record indicated a package was not affected, since that could not result
in a match. However, in order to suppress false positives in the case
where a distro has recorded a package is not affected, and that package
brings in a language package (npm, PyPI, etc), these records are
forwarded by vunnel as if fixed at "version 0". In Grype, take version 0
FixedIn records and transform them into Unaffected Packages in the
database.

Notably, skip doing this for APKs, since Alpine already has a separate
system of NAKs built around forwarding the APK "< 0" versions.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
@willmurphyscode willmurphyscode mentioned this pull request Apr 15, 2026
Open
8 tasks
@kzantow kzantow mentioned this pull request Apr 15, 2026
Merged
willmurphyscode
willmurphyscode reviewed Apr 17, 2026
View reviewed changes
Comment thread grype/matcher/rpm/matcher.go
@kzantow
fix: missed unaffected selection
11b23be 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow mentioned this pull request Apr 22, 2026
Open
willmurphyscode
willmurphyscode reviewed Apr 24, 2026
View reviewed changes
Comment thread grype/vulnerability_matcher_validation_test.go
kzantow added 4 commits April 24, 2026 09:37
@kzantow
chore: add test cases / pr feedback
812f3c2 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
Merge remote-tracking branch 'upstream/main' into feat/ignore-rpm-fixed
907e5c8
@kzantow
chore: move to new dbtest
13541c4 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: add metadata.json files
f4ff230 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow marked this pull request as ready for review April 24, 2026 17:22
@kzantow kzantow mentioned this pull request Apr 24, 2026
Open
@kzantow
chore: update match labels to PR version
f67cda5 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willmurphyscode willmurphyscode willmurphyscode left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Expand ignore rules to owned sub packages of distro packages

2 participants

@kzantow @willmurphyscode