fixfilter

command module
v0.0.0-...-a23a5ac Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 1, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

README

fixfilter (ARCHIVED)

[!WARNING] This project is no longer maintained and should not be used. This tool has been obviated by first-class support for Wolfi in Trivy and Grype.

Apply Wolfi's secfixes data to vulnerability scanner results

Installation

  1. Clone the repo.
git clone git@github.com:chainguard-dev/fixfilter.git
  1. Install the Go binary.
cd ./fixfilter && go install

Usage

fixfilter takes as input vulnerability scan result data in any of the following formats:

  • Trivy's SARIF output (trivy ... -f sarif)
  • Grype's SARIF output (grype ... -o sarif)
  • Grype's native JSON output (grype ... -o json)
  • Grype's default table output (grype ...)

If you have result data saved to a local file, you can provide the local path:

# E.g., let's assume you've run a command like this:
grype cgr.dev/chainguard/ko -o json > ko.grype.json

# To filter these results with Wolfi's fix data:
fixfilter ./ko.grype.json

Or, you can just pipe scanner result data directly into fixfilter, by specifying - as the input arg:

grype cgr.dev/chainguard/ko -o json | fixfilter -

Known limitations

Applying fixes to apk subpackages

With Wolfi, similar to the Alpine ecosystem, subpackages (i.e. packages that declare another package as their "origin") do not have their own fix data in the secdb. Instead, fix information can be found in the secdb db by searching by the package's origin.

Unfortunately, not all vulnerability scanner output includes this "origin" data. Currently, only Grype's native JSON output provides this information. Thus, when using other data formats, fixfilter isn't able to correctly mark subpackages as fixed.

Distinguishing between Wolfi and non-Wolfi packages

fixfilter is filtering vulnerability results using Wolfi's secdb. This fix data describes vulnerability fixes for Wolfi packages only. It is invalid to apply this fix data to non-Wolfi packages, such as Alpine packages.

However, not all vulnerability scanner output describes the distro for the packages in the output. Currently, only Grype's native JSON output reports distro information. For this format, fixfilter can detect when you've supplied vulnerability scan data for the wrong distro and proactively error out, to prevent a misleading report about which vulnerabilities have been fixed. But for other data formats, fixfilter will blindly apply the Wolfi fix data to input data, regardless of whether the input data describes Wolfi packages.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
pkg
grype
parsing
parsing/types
sarif
secdb
split
trivy

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.