Update Grype to v0.13.0 (!2516) · Merge requests · GitLab.org / security-products / analyzers / container-scanning

Dan Luhring requested to merge danluhring/container-scanning:update-grype-to-v0.13.0 into master Jun 12, 2021

Hi @thiagocsf! I wanted to provide this Grype update to the Container Scanning project as an optional MR to merge for %14.0. There's certainly no need to rush this in if the testing window for the release is closing. And if it's not viable to merge now, let's consider looking at this after the release.

This MR updates Grype from v0.12.1 to v0.13.0 (the latest version of Grype), which makes a few notable improvements to Grype's output data:

Adds more vulnerability links (this was mentioned explicitly in gitlab-org/gitlab#327174 (closed))
Adds richer data for vulnerability fix information, e.g. if a vendor has said explicitly that they won't fix the issue
Adds support for showing CVSS data from multiple upstream sources

The latter two items are not leveraged yet in Container Scanning, but they'd certainly be worth considering in the future, since they help users triage reported vulnerabilities.

Update Grype to v0.13.0

Merge request reports