chore: add FP issue template #2843
Conversation
Signed-off-by: Keith Zantow <[email protected]>
| @@ -0,0 +1,32 @@ | |||
| --- | |||
| name: False Positive | |||
| about: Report an incorrect vulnerability match | |||
There was a problem hiding this comment.
This sounds like it could be an FP or an FN. What about something like, "report that Grype detects a vulnerability not actually present"? Not a deal breaker, just trying to be clear about what an FP is since it's not necessarily a term everyone uses every day.
There was a problem hiding this comment.
Will we also have a False Negative template? I think it would make sense to have both
|
|
||
| **Package URL (PURL) or steps to reproduce**: | ||
| <!-- | ||
| If possible, please provide a PURL. |
There was a problem hiding this comment.
This could use an example. Maybe mention of distro flag too.
| Please also include the grype command and any configuration used. | ||
| --> | ||
|
|
||
| **Anything else we need to know?**: |
There was a problem hiding this comment.
I would add a section here (or maybe at the top) asking for an explanation. URLs are encouraged. So for example we could get something like "CVE-WHATEVER only affects foobar version 3.10 according to the advisory at URL, but grype is claiming version 3.56 is vulnerable"
This PR adds a new issue template to report false positives that both labels them appropriately and encourages providing a PURL to make analysis simpler.