Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

some non-PEP440 version constraints for GHSA python packages in grype-db #2229

Open
willmurphyscode opened this issue Oct 31, 2024 · 1 comment
Open

some non-PEP440 version constraints for GHSA python packages in grype-db #2229

willmurphyscode opened this issue Oct 31, 2024 · 1 comment
Labels
bug Something isn't working needs-discussion

Comments

@willmurphyscode
Copy link
Contributor

willmurphyscode commented Oct 31, 2024
edited
Loading

Hello,
I'm facing the same issue with grype 0.83.0
[0222] ERROR failed to inflate vulnerability record (by language): failed to parse constraint='>=1.7.0,<1.9.0ubuntu1.2' format='Python': unable to parse pep440 constrain phrase failed to create comparator for '&{< 1.9.0ubuntu1.2}': unable to parse

Originally posted by @de4Ru in #2195 (comment)

edit: here's an example of the records that can't be inflated:

SELECT 
    id, namespace, version_constraint 
FROM vulnerability 
WHERE
     version_constraint like "%0ubuntu1%" and namespace like "%python%";'

against a current grype db produces:

id namespace version_constraint
GHSA-pj65-3pf6-c5q4 github:language:python >=1.7.0,<1.9.0ubuntu1.2
GHSA-rp8m-h266-53jh github:language:python >=1.7.0,<1.9.0ubuntu1.2
@willmurphyscode willmurphyscode mentioned this issue Oct 31, 2024
Closed
@willmurphyscode willmurphyscode added the bug Something isn't working label Oct 31, 2024
@willmurphyscode
Copy link
Contributor Author

I've added needs-discussion for a couple reasons:

First, it was specifically requested (for similar issue #2195) on discourse, and second, there are a few aspects to the right approach here: Upstream data vendors can (and do) publish data that doesn't conform to what we'd expect (in this case a version string that seems not to be PEP440 compliant on a python package, or a version string for an APK package that doesn't conform to what that tooling expects in the case of #2195), so there are a few things we could do when seeing data like this:

  1. Drop the record at DB build time - this has the drawback that there might be false negatives, so we probably shouldn't do this if we can help it.
  2. Try to normalize the record at DB build time
  3. Fall back to other ways of trying to parse the version, for example trying to regex it to semver, and eventually falling back to string sorting
  4. Try to make Grype more permissive in the kinds of version comparisons it can do.
  5. Make grype isolate version parse failures completely from the rest of the matching process (we should probably due this anyway, and there's some of this done now)

The discussion is to explore these options and try to agree on some next steps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs-discussion
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@willmurphyscode