* feat: disable CPE-based matching for GHSA ecosystems by default
Disables CPE-based matching for ecosystems which are covered by GitHub
Security Advisories. Also adds a separate rust matcher and related
configuration to allow configuring CPE-based matching off for it while
still leaving it on for the stock matcher.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: use --by-cve with quality gate comparison
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: add rust auditable binary match integration test
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
---------
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Adds support for a `package_qualifiers` column to allow evaluating package matches to vulnerabilities based on more than just version constraints. Currently adds an rpm-modularity qualifier in order to support matching to correct app stream module in order to reduce false positives within rpm-based distro ecosystems. In order to prevent an increase in false positive matches for previous versions of grype using the v4 schema, this change (along with the vulnerability source driver parser updates) requires bumping the schema to v5.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
