grype | A vulnerability scanner for container images and filesystems | Continuous Deployment library

 by   anchore Go Version: v0.62.3 License: Apache-2.0

kandi X-RAY | grype Summary

kandi X-RAY | grype Summary

grype is a Go library typically used in Devops, Continuous Deployment, Docker applications. grype has no bugs, it has no vulnerabilities, it has a Permissive License and it has medium support. You can download it from GitHub.

A vulnerability scanner for container images and filesystems. Easily install the binary to try it out. Works with Syft, the powerful SBOM (software bill of materials) tool for container images and filesystems.
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              grype has a medium active ecosystem.
              It has 5952 star(s) with 404 fork(s). There are 68 watchers for this library.
              OutlinedDot
              It had no major release in the last 12 months.
              There are 213 open issues and 384 have been closed. On average issues are closed in 212 days. There are 10 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of grype is v0.62.3

            kandi-Quality Quality

              grype has 0 bugs and 0 code smells.

            kandi-Security Security

              grype has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              grype code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              grype is licensed under the Apache-2.0 License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              grype releases are available to install and integrate.
              Installation instructions, examples and code snippets are available.
              It has 25445 lines of code, 775 functions and 278 files.
              It has medium code complexity. Code complexity directly impacts maintainability of the code.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of grype
            Get all kandi verified functions for this library.

            grype Key Features

            No Key Features are available at this moment for grype.

            grype Examples and Code Snippets

            No Code Snippets are available at this moment for grype.

            Community Discussions

            QUESTION

            Spring Cloud embedded netty server with security vulnerabilities
            Asked 2021-Nov-11 at 11:07

            I'm using spring-cloud-starter-gateway and spring-boot-starter-webflux from spring-cloud-dependencies:2020.0.4, packing everything in a docker image.

            All my routes are written with RouteLocatorBuilder from spring cloud.

            Scanning the image with Grype, I get the following vulnerabilites:

            Latest reactor-netty-http:1.0.13 still doesn't have these fixed.

            I'd like to resolve these issues. Any suggestions?

            [UPDATE]

            Wrote to Grype's Github for further investigation. It does seem these are false positives, as Andreas mentioned below. Enforcing latest netty in my BOM for now.

            ...

            ANSWER

            Answered 2021-Nov-11 at 10:26

            I suppose these are false positives as reactor-netty-http did not had the vulnerability it was HttpObjectDecoder.java in Netty before 4.1.44. The regex provided by https://nvd.nist.gov/vuln/detail/CVE-2019-20444 are sometimes too unspecific.

            According to the docs you can suppress the false positives following this guide: https://github.com/anchore/grype#specifying-matches-to-ignore

            If you are using maven you could just add (but you don't have to because these are false positives):

            Source https://stackoverflow.com/questions/69926160

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install grype

            Install the binary, and make sure that grype is available in your path. To scan for vulnerabilities in an image:.

            Support

            Calendar: https://calendar.google.com/calendar/u/0/r?cid=Y182OTM4dGt0MjRtajI0NnNzOThiaGtnM29qNEBncm91cC5jYWxlbmRhci5nb29nbGUuY29tAgenda: https://docs.google.com/document/d/1ZtSAa6fj2a6KRWviTn3WoJm09edvrNUp4Iz_dOjjyY8/edit?usp=sharing (join this group for write access)All are welcome!
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            CLONE
          • HTTPS

            https://github.com/anchore/grype.git

          • CLI

            gh repo clone anchore/grype

          • sshUrl

            git@github.com:anchore/grype.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link