-
Notifications
You must be signed in to change notification settings - Fork 515
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Fedora CoreOS 36 -> OKD/OpenShift #1865
Comments
I tried using syft within fedora core 40 to scan itself and was able to get a listing of installed RPMs that are in I take it you are looking for additional functionality here? I'm not well versed in fedora core, but from what I understand the underlying filesystem is immutable (or a portion of it), thus, installing RPMs and modifying the RPM DB is no longer allowed. It appears that Can you confirm that you are looking for additional cataloging capabilities beyond what is available in the RPM DB ( |
Hi, and the result of the rpm -qa command and, to be sure. My diagnosis was that sygnaurty/grype doesn't recognize packages correctly it doesn't report any vulnerability found which sounds very unlikely. Hence the ticket to daod support for this system. sbom_syft-json_11_0_1-okd-master0-1716277638.json.gz
|
Hi @lokcio, thanks for the additional details. The reason Grype doesn't show any vulnerabilities is because we don't currently have a feed of vulnerability data for Fedora yet. We would need to implement a Vunnel provider (https://github.com/anchore/vunnel) for the Fedora database at https://bodhi.fedoraproject.org/. (If it's helpful, we did notice that in your SBOM it looks like you are scanning your Fedora system as well as the overlay filesystems for some containers running on that same system -- you may want to consider using the We will open up an enhancement request in the Vunnel repository to implement a provider for Fedora. If that's something you're interested in working on, let us know and we can help get you started! |
What would you like to be added:
Support for Fedora CoreOS which uses rpm-ostree https://docs.fedoraproject.org/en-US/fedora/f37/release-notes/sysadmin/Ostree/#readonly-sysroot-ostree-desktopsl
Why is this needed:
Fedore Core is used by OKD (The Community Distribution of Kubernetes that powersRed Hat OpenShift).
Additional context:
For scanning, we currently use an integration created by Threat Mapper https://github.com/deepfence/package-scanner/blob/6c56a429d3c0bc84d7e640604a9f76e361bc2225/tools/grype-bin/get_grype.sh
SBOM is being collected correctly.
The text was updated successfully, but these errors were encountered: