Skip to content

fix: track alpine rejections#1023

Merged
willmurphyscode merged 1 commit intomainfrom
fix-alpine-sec-rejections
Jan 29, 2026
Merged

fix: track alpine rejections#1023
willmurphyscode merged 1 commit intomainfrom
fix-alpine-sec-rejections

Conversation

@willmurphyscode
Copy link
Contributor

Alpine Linux has a separate repo where they reject CVEs that don't merit
further investigation or being tagged in their build system, such as
CVEs that are disputed upstream, or affect a package that coincidentally
has the same name as an APK. Previously, these extra rejections were
missed by vunnel, resulting in false positives in Grype. Therefore, pull
in these packages and emit NAKs for them for every Alpine version.

Fixes #1012

Alpine Linux has a separate repo where they reject CVEs that don't merit
further investigation or being tagged in their build system, such as
CVEs that are disputed upstream, or affect a package that coincidentally
has the same name as an APK. Previously, these extra rejections were
missed by vunnel, resulting in false positives in Grype. Therefore, pull
in these packages and emit NAKs for them for every Alpine version.

Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode willmurphyscode added the run-pr-quality-gate Triggers running of quality gate on PRs label Jan 29, 2026

The security-rejections repository contains CVEs that Alpine has determined
do not affect Alpine packages (false positives). These are emitted as NAK
entries with Version: "0" to filter NVD CPE matches.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APK NAKs need to have a constraint of < 0, I don't see where this may be added to the record, am I missing it or does it need to be added?

Or do these records end up in the unaffected_package_handles table somehow?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, got it -- it's a fix version of 0 which implies "vulnerable constraint" < 0 👍

@willmurphyscode willmurphyscode merged commit 029948e into main Jan 29, 2026
16 checks passed
@willmurphyscode willmurphyscode deleted the fix-alpine-sec-rejections branch January 29, 2026 14:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

run-pr-quality-gate Triggers running of quality gate on PRs

Projects

None yet

Development

Successfully merging this pull request may close these issues.

alpine: consider the security-rejections data

2 participants

Comments