oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 00:13:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: Remove two Rust crate false positive CPE matches (#3962)

Browse Source 
Rust crates opentelemetry and redis are being given CPEs that
match CVEs such as CVE-2023-45142 and CVE-2022-24735 respectively.
The vendor overrides added here prevent that.

Signed-off-by: John Vandenberg <jayvdb@gmail.com>
This commit is contained in:
John Vandenberg 2025-06-05 22:28:54 +08:00 committed by GitHub
parent c36c69779a
commit bd894b9c4d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go
View File

@ -486,7 +486,6 @@ var defaultCandidateAdditions = buildCandidateLookup(
candidateKey{PkgName: "dnsmasq", Vendor: "dnsmasq"},
candidateAddition{AdditionalVendors: []string{"thekelleys"}},
},
//
// Binary packages
{
pkg.BinaryPkg,
@ -630,7 +629,18 @@ var defaultCandidateRemovals = buildCandidateRemovalLookup(
candidateKey{PkgName: "grpc"},
candidateRemovals{ProductsToRemove: []string{"grpc"}},
},
// PHP Packages
// Rust packages
{
pkg.RustPkg,
candidateKey{PkgName: "opentelemetry"},
candidateRemovals{ProductsToRemove: []string{"opentelemetry"}},
},
{
pkg.RustPkg,
candidateKey{PkgName: "redis"},
candidateRemovals{VendorsToRemove: []string{"redis"}},
},
// PHP packages
{
pkg.PhpPearPkg,
candidateKey{PkgName: "redis"},