Skip to content

fix: Remove CPE product candidates for phf, prometheus, hyper and Rust crates #3967

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 6, 2025
Merged

fix: Remove CPE product candidates for phf, prometheus, hyper and Rust crates #3967

merged 1 commit into from
Jun 6, 2025
+20 −0

Conversation

jayvdb
Copy link
Contributor

@jayvdb jayvdb commented Jun 5, 2025

Description

An extension of #3962 , avoiding CPE matches of Rust crates with non-Rust CPEs in order to avoid matching of CVEs in the non-Rust software.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@jayvdb
fix: Remove three Rust crate false positive CPE matches
8ed335a 
Signed-off-by: John Vandenberg <jayvdb@gmail.com>
@spiffcs
Copy link
Contributor

spiffcs commented Jun 6, 2025

Thank you @jayvdb for these contributions to enhance the removals for the cpe_generate code.

@spiffcs spiffcs merged commit bc1cbde into anchore:main Jun 6, 2025
12 checks passed
@jayvdb jayvdb deleted the rust-cpe-false-positives branch June 6, 2025 08:29
@wagoodman wagoodman changed the title fix: Remove three Rust crate false positive CPE matches fix: Remove CPE product candidates for phf, prometheus, hyper and Rust crates Jun 9, 2025
@wagoodman wagoodman added the bug Something isn't working label Jun 9, 2025
@BrewTestBot BrewTestBot mentioned this pull request Jun 9, 2025
Merged
spiffcs added a commit that referenced this pull request Jun 9, 2025
@spiffcs
Merge branch 'main' into go-source
c57e191 
* main: (31 commits)
  remove benchmark utils (#3982)
  fix: exclude packages with SPDX GENERATED_FROM source package indication (#3981)
  chore(deps): bump modernc.org/sqlite from 1.37.1 to 1.38.0 (#3979)
  chore(deps): bump github.com/go-git/go-git/v5 from 5.16.1 to 5.16.2 (#3978)
  chore(deps): update tools to latest versions (#3977)
  chore(deps): update CPE dictionary index (#3976)
  chore(deps): bump golang.org/x/net from 0.40.0 to 0.41.0 (#3970)
  chore(deps): bump github.com/sergi/go-diff (#3971)
  Fix Python package dependency detection (#3965)
  fix: Remove three Rust crate false positive CPE matches (#3967)
  Harden Container Runtime with Non-Root User (#3941)
  fix: Remove two Rust crate false positive CPE matches (#3962)
  chore(deps): bump golang.org/x/mod from 0.24.0 to 0.25.0 (#3963)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.12 to 0.5.13 (#3964)
  fix: bump stereoscope to fix symlink performance issue (#3953)
  chore(deps): bump github.com/go-git/go-git/v5 from 5.16.0 to 5.16.1 (#3960)
  chore(deps): bump github/codeql-action from 3.28.18 to 3.28.19 (#3952)
  feat: add syft schema version to version command (#3949)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.11 to 0.5.12 (#3943)
  chore(deps): update tools to latest versions (#3945)
  ...

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jayvdb @spiffcs @wagoodman