use Syft for decoding CPEs#3058
Conversation
chovanecadam
force-pushed
the
feat-list-cpes
branch
from
607fda8 to
1e53ba3
Compare
| }{ | ||
| { | ||
| name: "takes a single cpe", | ||
| userInput: "cpe:/a:apache:log4j:2.14.1", |
There was a problem hiding this comment.
I think most of this test can be removed, but we should leave at least one cpe: example to validate that it is correctly returning the expected package; maybe one with each CPE format cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:* and cpe:/a:apache:log4j:2.14.1. I think this single-CPE case is not tested if this file is removed, is it tested elsewhere?
There was a problem hiding this comment.
The file with test cases is in Syft already (see here), so I removed it to not replicate code. I can add a few sanity-check test cases for a single CPEs in both formats and multiple CPEs. Sounds good?
There was a problem hiding this comment.
Right, acknowledge that Syft testing is important and handles most of the cases, but by removing this test file we don't have anything directly testing this cpeProvider, right?
There was a problem hiding this comment.
agreed, will do
Signed-off-by: Adam Chovanec <git@adamchovanec.cz>
Signed-off-by: Adam Chovanec <git@adamchovanec.cz>
chovanecadam
force-pushed
the
feat-list-cpes
branch
from
1e53ba3 to
4501ddf
Compare
|
How can we move this forward? Is there anything I can do? @kzantow |
Signed-off-by: Keith Zantow <kzantow@gmail.com>
kzantow
left a comment
kzantow
left a comment
There was a problem hiding this comment.
Sorry for the delay on this; thanks for making the requested updates! I pushed one small change to restore a test of specifying CPE 2.3, I hope you don't mind.
2 participants
Makes use of new API in Syft for decoding CPEs and enables reading a file with CPEs for scan.
I deleted tests in
grype/pkg/cpe_provider_test.goas they are the same as in syft (see here). It doesn't make sense to me to have the same test the same functionality in two places, but let me know if you want it some other way.