Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect cve fixed-in version coming in grype output #2253

Open
nehas4 opened this issue Nov 12, 2024 · 4 comments
Open

Incorrect cve fixed-in version coming in grype output #2253

nehas4 opened this issue Nov 12, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@nehas4
Copy link

nehas4 commented Nov 12, 2024

What happened: After scanning one image with nodejs component (of 18 series) with version: 1:18.20.4-1.module+el9.4.0+22195+c221878e, reporting CVE-2024-27983 with fixed in version (of 20 series): 1:20.12.2-2.module+el9.4.0+21731+46b5b8a7 as shown below:

NAME | INSTALLED | FIXED-IN | TYPE | VULNERABILITY | SEVERITY
nodejs | 1:18.20.4-1.module+el9.4.0+22195+c221878e | 1:20.12.2-2.module+el9.4.0+21731+46b5b8a7 | rpm | CVE-2024-27983 | High

What you expected to happen: As per documentation (https://access.redhat.com/security/cve/CVE-2024-27983) this CVE: CVE-2024-27983, is present in nodejs 18 series and fixed in 18.20.2 version itself.
In grype DB we can see that below details for this CVE and we are suspecting that the above output is coming because of version constraint column data in DB.

ID | PACKAGE_NAME | NAMESPACE | PACKAGE_QUALIFIERS | VERSION_CONSTRAINT | CPES | RELATED_VULNERABILITIES | FIXED_IN_VERSIONS | FIX_STATE | ADVISORIES
871808 | CVE-2024-27983 | nodejs | redhat:distro:redhat:8 | [{"kind":"rpm-modularity","module":"nodejs:20"}] | < 1:20.12.2-2.module+el8.9.0+21743+0b3f1be2 | rpm |   | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:20.12.2-2.module+el8.9.0+21743+0b3f1be2"] | fixed | [{"id":"RHSA-2024:2778","link":"https://access.redhat.com/errata/RHSA-2024:2778"}]
871809 | CVE-2024-27983 | nodejs | redhat:distro:redhat:8 | [{"kind":"rpm-modularity","module":"nodejs:18"}] | < 1:18.20.2-1.module+el8.9.0+21767+537f34ee | rpm |   | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:18.20.2-1.module+el8.9.0+21767+537f34ee"] | fixed | [{"id":"RHSA-2024:2780","link":"https://access.redhat.com/errata/RHSA-2024:2780"}]
879028 | CVE-2024-27983 | nodejs | redhat:distro:redhat:9 | [{"kind":"rpm-modularity","module":"nodejs:18"}] | < 1:18.20.2-2.module+el9.4.0+21742+692df1ea | rpm |   | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:18.20.2-2.module+el9.4.0+21742+692df1ea"] | fixed | [{"id":"RHSA-2024:2779","link":"https://access.redhat.com/errata/RHSA-2024:2779"}]
879029 | CVE-2024-27983 | nodejs | redhat:distro:redhat:9 | [{"kind":"rpm-modularity","module":"nodejs:20"}] | < 1:20.12.2-2.module+el9.4.0+21731+46b5b8a7 | rpm |   | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:20.12.2-2.module+el9.4.0+21731+46b5b8a7"] | fixed | [{"id":"RHSA-2024:2853","link":"https://access.redhat.com/errata/RHSA-2024:2853"}]
879030 | CVE-2024-27983 | nodejs | redhat:distro:redhat:9 | [{"kind":"rpm-modularity"}] | < 1:16.20.2-8.el9_4 | rpm |   | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:16.20.2-8.el9_4"] | fixed | [{"id":"RHSA-2024:2910","link":"https://access.redhat.com/errata/RHSA-2024:2910"}]

We want to know if this grype output coming is correct with fixed-in version? And whether its coming because of the feed data into grype DB from redhat?

How to reproduce it (as minimally and precisely as possible): scan cyclonedx syft sbom of below nodejs image with nodejs component of 18.20.4 version with grype:

Issue coming for this image:
syft registry.access.redhat.com/ubi9/nodejs-18-minimal:1-129.1726695172 -o cyclonedx-json=syft_cyclonedx.json
grype sbom:syft_cyclonedx.json -o table=grype_output.txt

Correct data coming for below image:
syft registry.access.redhat.com/ubi9/nodejs-18-minimal:1-113.1714664725 -o cyclonedx-json=syft_cyclonedx.json
grype sbom:syft_cyclonedx.json -o table=grype_output.txt

Environment:

  • Grype version: grype 0.84.0
  • OS:
    NAME="Red Hat Enterprise Linux"
    VERSION="8.10 (Ootpa)"
    ID="rhel"
    ID_LIKE="fedora"
    VERSION_ID="8.10"
    PLATFORM_ID="platform:el8"
    PRETTY_NAME="Red Hat Enterprise Linux 8.10 (Ootpa)"
    ANSI_COLOR="0;31"
    CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
    HOME_URL="https://www.redhat.com/"
    DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8"
    BUG_REPORT_URL="https://issues.redhat.com/"
    REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
    REDHAT_BUGZILLA_PRODUCT_VERSION=8.10
    REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
    REDHAT_SUPPORT_PRODUCT_VERSION="8.10"
@nehas4 nehas4 added the bug Something isn't working label Nov 12, 2024
@westonsteimel
Copy link
Contributor

For anyone looking further at this, my guess is that the package modularity is not handled by syft with cyclonedx format and therefore grype can't choose the correct constraint based on package modularity so has to choose the highest version constraint.

@nehas4
Copy link
Author

nehas4 commented Nov 13, 2024

We have observed that we are getting different grype scan output when done with syft cyclonedx-json sbom and syft-json sbom. Below is one example:

grype scan output with cyclonedx-json sbom:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2024-24806 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-46809 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-38552 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2022-25883 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2021-3807 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2021-27290 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-45143 Low
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-39333 Low
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2024-24806 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-46809 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-38552 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2022-25883 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2021-3807 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2021-27290 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-45143 Low
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-39333 Low
nodejs-nodemon 3.0.1-1.module+el9.3.0.z+20478+84a9f781 (won't fix) rpm CVE-2022-25883 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2024-24806 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-46809 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-38552 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2022-25883 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 rpm CVE-2021-3807 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 rpm CVE-2021-27290 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-45143 Low
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-39333 Low

grype scan output with syft-json sbom:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-38552 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-45143 Low
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-38552 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-45143 Low
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-38552 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-45143 Low

With syft-json sbom as input, grype giving less listing as shown above. Is it because of more detailed breakdowns coming in syft-json?

cyclonedx cpes:
"cpe": "cpe:2.3:a:nodejs:nodejs:1\:20.16.0-1.module\+el9.4.0\+22197\+9e60f127:::::::*",

syft-json cpes:
"cpes": [
{
"cpe": "cpe:2.3:a:nodejs:nodejs:1\:20.16.0-1.module\+el9.4.0\+22197\+9e60f127:::::::",
"source": "syft-generated"
},
{
"cpe": "cpe:2.3:a:redhat:nodejs:1\:20.16.0-1.module\+el9.4.0\+22197\+9e60f127:
::::::",
"source": "syft-generated"
}
],

@willmurphyscode
Copy link
Contributor

This is very similar to #2264 - we should discuss them together.

@willmurphyscode
Copy link
Contributor

The next step here is to investigate this as a bug, probably guided by @westonsteimel 's comment: #2253 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: Backlog
Development

No branches or pull requests

3 participants