Skip to content

Make vulnerabilities scanner less strict #669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Make vulnerabilities scanner less strict #669

wants to merge 3 commits into from
+254 −64

Conversation

dnestoro
Copy link
Member

@dnestoro dnestoro commented Sep 5, 2025
edited
Loading

What does this PR do?

Make vulnerabilities scanner less strict in order to accept slightly vulnerable images that are less vulnerable than the currently existing allowed images.

Fixes: #540

@dnestoro dnestoro force-pushed the dnestoro/make-vulnerability-scanner-less-strict branch 5 times, most recently from 368d448 to a389f25 Compare September 10, 2025 09:22
@dnestoro dnestoro marked this pull request as ready for review September 10, 2025 09:44
@dnestoro dnestoro requested a review from a team as a code owner September 10, 2025 09:44
@dnestoro dnestoro requested review from vjovanov, matteoldani and matneu and removed request for vjovanov September 10, 2025 09:44
@dnestoro dnestoro self-assigned this Sep 11, 2025
matteoldani
matteoldani reviewed Sep 18, 2025
View reviewed changes
tests/tck-build-logic/src/main/java/org/graalvm/internal/tck/GrypeTask.java
return vulnerabilities.critical() > 0 || vulnerabilities.high() > 0;
}

public boolean isLessVulnerable(DockerImage other) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do agree that, in general, a critical vulnerability has more priority that any number of high ones. However, since we are not just comparing two different scenarios but doing an upgrade, how about introducing a sanity check that prevents us from introducing a container with 1 less critical and thousands more high-scored vulns without noticing it?

After all, if we decide on making such a tradeoff, we can always adapt the heuristic.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the only solution that is correct in 100% cases is that we only accept a new image if it contains less critical and less high vulnerabilities. In all other combinations we can't determine programmatically if the image is acceptable candidate for update or not (we will still rely on a manual check of the image).
What do you think?

tests/tck-build-logic/src/main/java/org/graalvm/internal/tck/GrypeTask.java
if (numberOfHigh > 4 || numberOfCritical > 0) {
shouldFail = true;
// parse Grype output
ByteArrayInputStream inputStream = new ByteArrayInputStream(execOutput.toByteArray());
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The grype output is in json format. Can't we parse it using a json parse? It would make the vulns detection more reliable to output changes.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I refactored that part ✔️
Please take a look again

@dnestoro dnestoro force-pushed the dnestoro/make-vulnerability-scanner-less-strict branch from a389f25 to efa2077 Compare September 23, 2025 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matteoldani matteoldani matteoldani left review comments

@matneu matneu Awaiting requested review from matneu

At least 1 approving review is required to merge this pull request.

Assignees

@dnestoro dnestoro

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make vulnerability scanner less strict when updating existing docker images
2 participants
@dnestoro @matteoldani