Add Root IO vulnerability data provider#963
Open
chait-slim wants to merge 4 commits intoanchore:mainfrom
Open
Conversation
This was referenced Dec 30, 2025
Closed
| } | ||
| } | ||
| ], | ||
| "database_specific": {"source": "Root"} |
Contributor
There was a problem hiding this comment.
This should also assert something like:
if "database_specific" not in vuln_entry:
vuln_entry["database_specific"] = {}
if "anchore" not in vuln_entry["database_specific"]:
vuln_entry["database_specific"]["anchore"] = {}
vuln_entry["database_specific"]["anchore"]["record_type"] = "advisory"has been done. Otherwise, grype-db doesn't know to emit unaffectedPackageHandles and this data just makes affected package handles and the NAKS don't do anything.
This adds a new provider for Root IO vulnerability data, which provides
security information for Root IO patched packages across multiple
ecosystems (Debian, Ubuntu, Alpine, NPM, PyPI).
Implementation details:
- Fetches OSV 1.6.1 format data from Root IO API (api.root.io/external/osv)
- Implements NAK pattern: rootio- prefixed packages only match Root IO vulnerabilities
- Supports ecosystem-specific version suffixes (.root.io.N for Debian/Ubuntu,
-root.io.N for NPM, +root.io.N for PyPI)
- Provider class in src/vunnel/providers/rootio/__init__.py
- OSV record parser in src/vunnel/providers/rootio/parser.py
- Registered in src/vunnel/providers/__init__.py and src/vunnel/cli/config.py
Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
….py _normalize() 2. Added comprehensive tests to verify the metadata is set correctly 3. Updated all 5 snapshot fixtures with the new metadata Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
chait-slim
force-pushed
the
feat/rootio-provider-2
branch
from
09e61c6 to
85f1e1d
Compare
| # Fix date patching is optional and requires authentication | ||
|
|
||
| # Fetch and process each OSV record | ||
| for osv_id in osv_ids: |
Contributor
There was a problem hiding this comment.
Please make this concurrent in some way. Right now this provider does ~9K sequential, blocking http gets, which makes it very slow for a relatively small amount of data. Many of the other providers have some concurrent.futures.ThreadPoolExecutor use and a config that controls the concurrency (and sets a default higher than 1). Please imitate that pattern here.
Contributor
There was a problem hiding this comment.
It's probably fine to enter a concurrent section that pulls down all the osv docs and then process them sequentially, which is probably easier than trying to get the entire record normalized and processed concurrently.
tests/quality/config.yaml
Outdated
| - name: github | ||
| use_cache: true | ||
| images: | ||
| - cr.root.io/cassandra@sha256:b3cc918a6a364af0a6b0a45becef0d0979db7e604751fad627ec2a94945b4e03 |
Contributor
There was a problem hiding this comment.
I think you changed this image to be on a different repo?
Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
chait-slim
force-pushed
the
feat/rootio-provider-2
branch
from
c9e7a9e to
d92900e
Compare
- Switched from private ECR to public Docker Hub images for accessibility - Added 3 FP labels for ubuntu:22.04 image (CVE-2016-20013 x2, CVE-2021-46848) - Added 3 FP labels for cassandra image (CVE-2016-20013 x3) - Demonstrates Root IO patch prevention mechanism - Reference scan finds vulnerabilities but Root IO-enhanced scan correctly excludes them - Updated .yardstick.yaml and config.yaml to use docker.io/rootpublic images Images: - docker.io/rootpublic/ubuntu:22.04@sha256:1390a26823a5a761dfbb7f591ae74a71afd8e23583a2f0c58dca6943b606f6d5 - docker.io/rootpublic/cassandra:latest@sha256:02272b14efbe14e70ee5512ce707c4e300d3c1813f0e5df9562512c1b96be835 Signed-off-by: Chai Tadmor <chai.tadmor@root.io>
Contributor
|
Hi @chait-slim, I was just running this locally to check on it, and the quality gate currently fails like this: I think these are the missing labels that I was asking for at anchore/vulnerability-match-labels#167 (comment) - if you agree that these are things that rootio patched, they should be labeled as false positives in that PR. I'm also sort of surprised to see differences in these packages, which don't look like RootIO packages to me. Am I missing something? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds a new provider for Root IO vulnerability data, which provides
security information for Root IO patched packages across multiple
ecosystems (Debian, Ubuntu, Alpine, NPM, PyPI).
Implementation details: