Skip to content

feat: handle ROOTIO_UNAFFECTED markers in OS transformer#736

Closed
chait-slim wants to merge 1 commit intoanchore:mainfrom
chait-slim:feat/rootio-unaffected-support
Closed

feat: handle ROOTIO_UNAFFECTED markers in OS transformer#736
chait-slim wants to merge 1 commit intoanchore:mainfrom
chait-slim:feat/rootio-unaffected-support

Conversation

@chait-slim
Copy link

@chait-slim chait-slim commented Nov 3, 2025

  • Recognize ROOTIO_UNAFFECTED version markers from vunnel
  • Set NotAffectedFixStatus for Root.io unaffected vulnerabilities
  • Handle Root.io namespace format (rootio:distro:alpine:3.17)
  • Add Root.io reference URL and tags for tracking
  • Include unit tests for new functionality

This enables grype-db to properly process Root.io security patches
and prevent false positive vulnerability matches.

Signed-off-by: Chai Tadmor chai.tadmor@root.io

@chait-slim chait-slim mentioned this pull request Nov 4, 2025
Closed
@willmurphyscode
Copy link
Contributor

willmurphyscode commented Nov 13, 2025

In its current form, this is not the change suggested at anchore/vunnel#863 (comment) .

https://github.com/anchore/grype-db/pull/686/files#diff-af698832ba49e27cd15a534e0c885e607ec0eb94a07cd2165f03f09a2265bcbeR61-R70 has an example.

To re-iterate:

  1. Vunnel should emit records that mean "rootio has published a fix for CVE X in version Y"
  2. Grype-DB should pick up those records and emit UnaffectedPackageHandles in the database
  3. Grype should query for those UnaffectedPackageHandle and use them to filter out packages that root-io has fixed.

@chait-slim
feat: add Root.io unaffected package support via namespace detection
a2ee299 
- Detect Root.io vulnerability records by namespace prefix (rootio:)
- Create UnaffectedPackageHandle entries for packages with .root.io suffix
- Support Root.io namespace format: rootio:distro:{os}:{version}
- Add OS-aware constraint handling for different package types
- Process Root.io data as fix records without sentinel values

Enables Grype to filter false positives for Root.io patched packages
by querying unaffected package handles from the database.
@chait-slim chait-slim force-pushed the feat/rootio-unaffected-support branch from 29c6218 to a2ee299 Compare November 23, 2025 13:16
@chait-slim
Copy link
Author

chait-slim commented Nov 23, 2025

In its current form, this is not the change suggested at anchore/vunnel#863 (comment) .

https://github.com/anchore/grype-db/pull/686/files#diff-af698832ba49e27cd15a534e0c885e607ec0eb94a07cd2165f03f09a2265bcbeR61-R70 has an example.

To re-iterate:

  1. Vunnel should emit records that mean "rootio has published a fix for CVE X in version Y"
  2. Grype-DB should pick up those records and emit UnaffectedPackageHandles in the database
  3. Grype should query for those UnaffectedPackageHandle and use them to filter out packages that root-io has fixed.

@willmurphyscode I've refactored the three PRs according to the requirements and comments. Given what I understand about the project and your comments I think the PRs will meet the requirements much better now

@chait-slim
Copy link
Author

chait-slim commented Dec 3, 2025

In its current form, this is not the change suggested at anchore/vunnel#863 (comment) .
https://github.com/anchore/grype-db/pull/686/files#diff-af698832ba49e27cd15a534e0c885e607ec0eb94a07cd2165f03f09a2265bcbeR61-R70 has an example.
To re-iterate:

  1. Vunnel should emit records that mean "rootio has published a fix for CVE X in version Y"
  2. Grype-DB should pick up those records and emit UnaffectedPackageHandles in the database
  3. Grype should query for those UnaffectedPackageHandle and use them to filter out packages that root-io has fixed.

@willmurphyscode I've refactored the three PRs according to the requirements and comments. Given what I understand about the project and your comments I think the PRs will meet the requirements much better now

Hi @willmurphyscode did you get a chance to look at the updated PRs?

@chait-slim
Copy link
Author

chait-slim commented Dec 10, 2025

In its current form, this is not the change suggested at anchore/vunnel#863 (comment) .
https://github.com/anchore/grype-db/pull/686/files#diff-af698832ba49e27cd15a534e0c885e607ec0eb94a07cd2165f03f09a2265bcbeR61-R70 has an example.
To re-iterate:

  1. Vunnel should emit records that mean "rootio has published a fix for CVE X in version Y"
  2. Grype-DB should pick up those records and emit UnaffectedPackageHandles in the database
  3. Grype should query for those UnaffectedPackageHandle and use them to filter out packages that root-io has fixed.

@willmurphyscode I've refactored the three PRs according to the requirements and comments. Given what I understand about the project and your comments I think the PRs will meet the requirements much better now

Hi @willmurphyscode did you get a chance to look at the updated PRs?

@chait-slim chait-slim closed this Dec 10, 2025
@chait-slim chait-slim reopened this Dec 10, 2025
@chait-slim
Copy link
Author

chait-slim commented Dec 10, 2025

Hi @willmurphyscode, apologies for the close/reopen notification, that was an accidental misclick on my end!

I wanted to bump this because getting this landed is currently a high priority for my team. With the holidays approaching in a couple of weeks, I’m eager to get your eyes on this so I can address any remaining requests or fixes before the break.

I’d really appreciate a review when you have a moment so we don't carry any blockers into the new year. Thanks!

willmurphyscode
willmurphyscode reviewed Dec 15, 2025
View reviewed changes
pkg/process/v6/transformers/os/test-fixtures/rootio-alpine-no-fix.json
"AdvisorySummary": [],
"NoAdvisory": true
},
"Version": "",
Copy link
Contributor

@willmurphyscode willmurphyscode Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused. This looks like a vulnerability with no fix information in a test case, but at anchore/vunnel#863 (comment) I thought you said that the rootio provider never discloses unfixed vulnerabilities.

@chait-slim
Copy link
Author

chait-slim commented Dec 30, 2025

Opened a new PR with updated spec: #790

@chait-slim chait-slim closed this Dec 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willmurphyscode willmurphyscode willmurphyscode left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chait-slim @willmurphyscode