Skip to content

secureos provider #941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
willmurphyscode merged 5 commits into from
Jan 28, 2026
Merged

secureos provider #941

willmurphyscode merged 5 commits into from
Jan 28, 2026

Conversation

@divolgin
Copy link
Contributor

@divolgin divolgin commented Dec 2, 2025
edited
Loading

Hello, we'd like to add support for secureos provider. This is the provider for images from securebuild.com.

This distro uses APK packages, and the provider is modeled after the Alpine provider.

Relevant grype PR: anchore/grype#3086
Relevant grype-db PR: anchore/grype-db#765

@divolgin divolgin force-pushed the divolgin/secureos-provider branch from 999f3fa to 602e503 Compare December 2, 2025 16:38
This was referenced Dec 2, 2025
Merged
Merged
@squizzi squizzi mentioned this pull request Jan 21, 2026
Merged
@squizzi
Copy link

squizzi commented Jan 21, 2026

The quality gate passes locally:

uv run yardstick validate --result-set pr_vs_latest_via_sbom_secureos
Loading label entries...done! 5 entries loaded
Validating with 'pr_vs_latest_via_sbom_secureos'
2026-01-21 11:10:16,207 [INFO] only considering matches from allowed namespaces: secureos:distro:secureos:rolling nvd:cpe
2026-01-21 11:10:16,207 [INFO] Testing image: 'registry.replicated.com/library/grype-test@sha256:3339bcd874d21fa3ca5bd20636e793c0c33bd71ace3a18a9a3b3d147b91dd000' with 'syft@latest, [email protected]/securebuildhq/grype@divolgin/secureos+import-db=build/vulnerability.db, [email protected]/securebuildhq/grype@divolgin/secureos+import-db=https://grype.anchore.io/databases/v6/vulnerability-db_v6.0.2_2025-07-10T01:31:11Z_1752120925.tar.zst'
   Results used for image registry.replicated.com/library/grype-test@sha256:3339bcd874d21fa3ca5bd20636e793c0c33bd71ace3a18a9a3b3d147b91dd000:
    ├── ea149fe1-074e-4d0a-b9cf-623062e1c7d1 : grype[custom-db]@0091f347 (custom-db)  against registry.replicated.com/library/grype-test@sha256:3339bcd874d21fa3ca5bd20636e793c0c33bd71ace3a18a9a3b3d147b91dd000
    └── 927e68b9-1c5c-49a4-8bed-f90e13e481d5 : grype[reference]@0091f347 (reference)  against registry.replicated.com/library/grype-test@sha256:3339bcd874d21fa3ca5bd20636e793c0c33bd71ace3a18a9a3b3d147b91dd000
--------------------------------------------------------------------------------

Quality gate passed!

Waiting for anchore/vulnerability-match-labels#170 to be merged so I can update this PR and have the tests run here.

@willmurphyscode willmurphyscode self-assigned this Jan 26, 2026
willmurphyscode
willmurphyscode reviewed Jan 27, 2026
View reviewed changes
tests/unit/providers/secureos/test_secureos.py Outdated

p.update(None)

assert workspace.num_result_entries() == 155
Copy link
Contributor

@willmurphyscode willmurphyscode Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably do not need 155 example JSON files for this provider. Does it make sense to come up with a representative subset?

Copy link

@squizzi squizzi Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've lowered this down to a subset of 17 json files which should provide adequate coverage

@squizzi squizzi force-pushed the divolgin/secureos-provider branch from 400c34b to 6dca6fd Compare January 27, 2026 19:48
@squizzi
Copy link

squizzi commented Jan 27, 2026

@willmurphyscode I've updated each of the associated PRs based on our discussion this morning and updated the match labels as well, the quality gate is still passing locally with the label update:

uv tool run yardstick validate --result-set pr_vs_latest_via_sbom_secureos
Loading label entries...done! 5 entries loaded
Validating with 'pr_vs_latest_via_sbom_secureos'
2026-01-27 14:21:57,635 [INFO] only considering matches from allowed namespaces: secureos:distro:secureos:rolling nvd:cpe
2026-01-27 14:21:57,635 [INFO] Testing image: 'registry.replicated.com/library/grype-test@sha256:3339bcd874d21fa3ca5bd20636e793c0c33bd71ace3a18a9a3b3d147b91dd000' with 'syft@latest, [email protected]/securebuildhq/grype@divolgin/secureos+import-db=build/vulnerability.db, [email protected]/securebuildhq/grype@divolgin/secureos+import-db=https://grype.anchore.io/databases/v6/vulnerability-db_v6.0.2_2025-07-10T01:31:11Z_1752120925.tar.zst'
   Results used for image registry.replicated.com/library/grype-test@sha256:3339bcd874d21fa3ca5bd20636e793c0c33bd71ace3a18a9a3b3d147b91dd000:
    ├── c18aa66d-0ca5-4f5f-8d5f-017d48ae40b9 : grype[custom-db]@0091f347 (custom-db)  against registry.replicated.com/library/grype-test@sha256:3339bcd874d21fa3ca5bd20636e793c0c33bd71ace3a18a9a3b3d147b91dd000
    └── b560cd43-0e23-4ea0-9034-1d721a3d3f3f : grype[reference]@0091f347 (reference)  against registry.replicated.com/library/grype-test@sha256:3339bcd874d21fa3ca5bd20636e793c0c33bd71ace3a18a9a3b3d147b91dd000
--------------------------------------------------------------------------------

Quality gate passed!

Let me know if you need anything further from us around these.

@willmurphyscode willmurphyscode changed the base branch from main to secureos-merge January 28, 2026 18:34
@willmurphyscode willmurphyscode added the enhancement New feature or request label Jan 28, 2026
@willmurphyscode willmurphyscode merged commit a69782b into anchore:secureos-merge Jan 28, 2026
2 checks passed
@willmurphyscode willmurphyscode mentioned this pull request Jan 28, 2026
Open
willmurphyscode pushed a commit that referenced this pull request Jan 28, 2026
@divolgin @squizzi @willmurphyscode
secureos provider (#941)
bbcfb57 
* secureos provider

Signed-off-by: divolgin <[email protected]>

* Use VulnerableRange when fixes are applied in different revisions of the same version

Signed-off-by: divolgin <[email protected]>

* test: add SecureOS provider to quality gate config

Signed-off-by: Kyle Squizzato <[email protected]>

* test: Only use a subset of fixtures

Signed-off-by: Kyle Squizzato <[email protected]>

* test: Update commit for vulnerability-match-labels

Signed-off-by: Kyle Squizzato <[email protected]>

---------

Signed-off-by: divolgin <[email protected]>
Signed-off-by: Kyle Squizzato <[email protected]>
Co-authored-by: Kyle Squizzato <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willmurphyscode willmurphyscode willmurphyscode left review comments

+1 more reviewer

@squizzi squizzi squizzi left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@willmurphyscode willmurphyscode

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@divolgin @squizzi @willmurphyscode