Add Root IO provider labels for ubuntu test image#167
Add Root IO provider labels for ubuntu test image#167chait-slim wants to merge 4 commits intoanchore:mainfrom
Conversation
chait-slim
force-pushed
the
rootio-labels
branch
from
ebc2cb1 to
1e9973b
Compare
|
Hi @chait-slim I am unable to pull the test image: Am I missing something? Is it possible for you all to make an old tag public or something? |
chait-slim
force-pushed
the
rootio-labels
branch
from
1e9973b to
e1bfcfc
Compare
Updated the image location: docker.io/rootpublic/cassandra:latest@sha256:02272b14efbe14e70ee5512ce707c4e300d3c1813f0e5df9562512c1b96be835 |
Updated vulnerability match labels for Root IO provider validation: - Image: docker.io/rootpublic/cassandra:latest@sha256:02272b14efbe14e70ee5512ce707c4e300d3c1813f0e5df9562512c1b96be835 - 4 labels created for standard Ubuntu packages - Scanned with grype@0.104.0 (database built 2026-01-15) These labels are required for the Root IO provider PR in vunnel. Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
chait-slim
force-pushed
the
rootio-labels
branch
from
e1bfcfc to
2b5a446
Compare
|
Hi @chait-slim can you add some labels that are FPs? As I understand the current plan is for the rootio provider to emit UnaffectedPackageHandles that prevent Grype from matching on vulnerabilities that Root has patched. When compared with a scan by Grype that doesn't know about rootio patches, this would be a False Positive. In other words, for the labels to prove that the approach is working, there should be matches that Grype finds without the rootio data, that it stops finding with the rootio data, that are labeled as False Positives, that is, as matches that it is correct for Grype to stop finding. |
|
@willmurphyscode I've added another image that should have better labels |
|
@chait-slim I'm confused. All of the labels in this branch have |
|
Hi @chait-slim just wanted to make sure we are not both waiting on each other. My understanding is that I am waiting for you to push some changes to this PR showing that some of grype's current findings against RootIO should be labeled "FP" (false positive) but everything still has "TP" labels in this PR. Please let me know if there's anything I can do to help. |
|
Hi Will,
We are completely aligned here. I will get to this asap. Sorry for the delay
…On Mon, 9 Mar 2026 at 22:10 Will Murphy ***@***.***> wrote:
*willmurphyscode* left a comment (anchore/vulnerability-match-labels#167)
<#167 (comment)>
Hi @chait-slim <https://github.com/chait-slim> just wanted to make sure
we are not both waiting on each other. My understanding is that I am
waiting for you to push some changes to this PR showing that some of
grype's current findings against RootIO should be labeled "FP" (false
positive) but everything still has "TP" labels in this PR.
Please let me know if there's anything I can do to help.
—
Reply to this email directly, view it on GitHub
<#167 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BGQ4GPHNRVDCXQMZDK33EAL4P4QM3AVCNFSM6AAAAACQKAR6TWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DAMRWGU4DOMBWGQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@willmurphyscode updated |
CVE-2016-20013 (libc-bin, libc6, locales) and CVE-2021-46848 (libtasn1-6) are patched by Root IO; grype[custom-db] correctly suppresses them via unaffectedPackageHandles. Labels these as FP so the quality gate can distinguish intentional suppressions from unlabeled unknowns. Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
chait-slim
force-pushed
the
rootio-labels
branch
from
c76cfac to
1163143
Compare
|
@willmurphyscode did you get a chance to look at this? Am I on the right track this time? |
|
Hi @chait-slim thanks for checking in! Yes, this looks like what I was expecting to see. I just took at look at anchore/vunnel#963 to try to do an end to end test, and I think some changes are needed there, but this looks good. I'll comment details on the vunnel PR. |
…d labels - Replace cassandra test image with docker.io/rootpublic/python:3.11-slim-bookworm - Update expected namespaces to include debian:12 and github:language:python - Update vulnerability-match-labels submodule with new ubuntu TP/FP labels - Remove cassandra label files Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
chait-slim
force-pushed
the
rootio-labels
branch
from
4b561da to
f8d660b
Compare
chait-slim
changed the title
chait-slim
force-pushed
the
rootio-labels
branch
from
0d9b0d3 to
f8d660b
Compare
chait-slim
changed the title
Update labels for e2e-rootio-alpine-test to the new Alpine 3.18 image (sha256:b823...) which adds @rootio/semver (NPM) alongside the existing rootio-jinja2 (PyPI) and rootio-openssh/openssl (APK) packages. - Add FP labels for @rootio/semver (CVE-2022-25883) and rootio-jinja2 (CVE-2025-27516): grype[custom-db] correctly suppresses these via NAK - Add TP labels for nodejs, npm transitive deps (minimatch, brace-expansion, tar, semver, diff, glob, ip, cross-spawn), nghttp2-libs, py3-pip - Remove stale labels for old digest (d74e...) Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
2 participants
No description provided.