Container Scanning with Grype no longer correctly detects OS for auto-remediation
Summary
I was looking at integration tests and I saw that Grype was failing to detect Debian as a valid OS for remediation:
- https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/jobs/2045477011#L557
- https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/jobs/2045477007#L557
It seems that the string has changed and now looks like Debian GNU/Linux:9 (stretch)
.
I believe that this was introduced by https://github.com/anchore/grype/pull/585, which means that it made its way into container scanning with gitlab-org/security-products/analyzers/container-scanning!2649 (merged).
What is the current bug behavior?
Debian is being shown as not supported for remediation, but it is
What is the expected correct behavior?
Container Scanning should perform remediations for Debian
Possible fixes
- Update the string matching so that they work with Grype's new string format
- Update the integration tests so that they verify auto-remediation is working
- Use
Vulnerability.Namespace
to determine OS instead
Edited by Alan (Maciej) Paruszewski