Add Root IO provider labels for cassandra test image#167
Add Root IO provider labels for cassandra test image#167chait-slim wants to merge 2 commits intoanchore:mainfrom
Conversation
chait-slim
force-pushed
the
rootio-labels
branch
from
ebc2cb1 to
1e9973b
Compare
|
Hi @chait-slim I am unable to pull the test image: Am I missing something? Is it possible for you all to make an old tag public or something? |
chait-slim
force-pushed
the
rootio-labels
branch
from
1e9973b to
e1bfcfc
Compare
Updated the image location: docker.io/rootpublic/cassandra:latest@sha256:02272b14efbe14e70ee5512ce707c4e300d3c1813f0e5df9562512c1b96be835 |
Updated vulnerability match labels for Root IO provider validation: - Image: docker.io/rootpublic/cassandra:latest@sha256:02272b14efbe14e70ee5512ce707c4e300d3c1813f0e5df9562512c1b96be835 - 4 labels created for standard Ubuntu packages - Scanned with grype@0.104.0 (database built 2026-01-15) These labels are required for the Root IO provider PR in vunnel. Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
chait-slim
force-pushed
the
rootio-labels
branch
from
e1bfcfc to
2b5a446
Compare
|
Hi @chait-slim can you add some labels that are FPs? As I understand the current plan is for the rootio provider to emit UnaffectedPackageHandles that prevent Grype from matching on vulnerabilities that Root has patched. When compared with a scan by Grype that doesn't know about rootio patches, this would be a False Positive. In other words, for the labels to prove that the approach is working, there should be matches that Grype finds without the rootio data, that it stops finding with the rootio data, that are labeled as False Positives, that is, as matches that it is correct for Grype to stop finding. |
|
@willmurphyscode I've added another image that should have better labels |
|
@chait-slim I'm confused. All of the labels in this branch have |
|
Hi @chait-slim just wanted to make sure we are not both waiting on each other. My understanding is that I am waiting for you to push some changes to this PR showing that some of grype's current findings against RootIO should be labeled "FP" (false positive) but everything still has "TP" labels in this PR. Please let me know if there's anything I can do to help. |
|
Hi Will,
We are completely aligned here. I will get to this asap. Sorry for the delay
…On Mon, 9 Mar 2026 at 22:10 Will Murphy ***@***.***> wrote:
*willmurphyscode* left a comment (anchore/vulnerability-match-labels#167)
<#167 (comment)>
Hi @chait-slim <https://github.com/chait-slim> just wanted to make sure
we are not both waiting on each other. My understanding is that I am
waiting for you to push some changes to this PR showing that some of
grype's current findings against RootIO should be labeled "FP" (false
positive) but everything still has "TP" labels in this PR.
Please let me know if there's anything I can do to help.
—
Reply to this email directly, view it on GitHub
<#167 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BGQ4GPHNRVDCXQMZDK33EAL4P4QM3AVCNFSM6AAAAACQKAR6TWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DAMRWGU4DOMBWGQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@willmurphyscode updated |
CVE-2016-20013 (libc-bin, libc6, locales) and CVE-2021-46848 (libtasn1-6) are patched by Root IO; grype[custom-db] correctly suppresses them via unaffectedPackageHandles. Labels these as FP so the quality gate can distinguish intentional suppressions from unlabeled unknowns. Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
chait-slim
force-pushed
the
rootio-labels
branch
from
c76cfac to
1163143
Compare
2 participants
Added vulnerability match labels for Root IO provider validation:
These labels are required for the Root IO provider PR in vunnel.