-
Notifications
You must be signed in to change notification settings - Fork 594
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect cve fixed-in version coming in grype output #2253
Comments
For anyone looking further at this, my guess is that the package modularity is not handled by syft with cyclonedx format and therefore grype can't choose the correct constraint based on package modularity so has to choose the highest version constraint. |
We have observed that we are getting different grype scan output when done with syft cyclonedx-json sbom and syft-json sbom. Below is one example: grype scan output with cyclonedx-json sbom: NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY grype scan output with syft-json sbom: NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY With syft-json sbom as input, grype giving less listing as shown above. Is it because of more detailed breakdowns coming in syft-json? cyclonedx cpes: syft-json cpes: |
This is very similar to #2264 - we should discuss them together. |
The next step here is to investigate this as a bug, probably guided by @westonsteimel 's comment: #2253 (comment) |
What happened: After scanning one image with nodejs component (of 18 series) with version: 1:18.20.4-1.module+el9.4.0+22195+c221878e, reporting CVE-2024-27983 with fixed in version (of 20 series): 1:20.12.2-2.module+el9.4.0+21731+46b5b8a7 as shown below:
NAME | INSTALLED | FIXED-IN | TYPE | VULNERABILITY | SEVERITY
nodejs | 1:18.20.4-1.module+el9.4.0+22195+c221878e | 1:20.12.2-2.module+el9.4.0+21731+46b5b8a7 | rpm | CVE-2024-27983 | High
What you expected to happen: As per documentation (https://access.redhat.com/security/cve/CVE-2024-27983) this CVE: CVE-2024-27983, is present in nodejs 18 series and fixed in 18.20.2 version itself.
In grype DB we can see that below details for this CVE and we are suspecting that the above output is coming because of version constraint column data in DB.
ID | PACKAGE_NAME | NAMESPACE | PACKAGE_QUALIFIERS | VERSION_CONSTRAINT | CPES | RELATED_VULNERABILITIES | FIXED_IN_VERSIONS | FIX_STATE | ADVISORIES
871808 | CVE-2024-27983 | nodejs | redhat:distro:redhat:8 | [{"kind":"rpm-modularity","module":"nodejs:20"}] | < 1:20.12.2-2.module+el8.9.0+21743+0b3f1be2 | rpm | | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:20.12.2-2.module+el8.9.0+21743+0b3f1be2"] | fixed | [{"id":"RHSA-2024:2778","link":"https://access.redhat.com/errata/RHSA-2024:2778"}]
871809 | CVE-2024-27983 | nodejs | redhat:distro:redhat:8 | [{"kind":"rpm-modularity","module":"nodejs:18"}] | < 1:18.20.2-1.module+el8.9.0+21767+537f34ee | rpm | | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:18.20.2-1.module+el8.9.0+21767+537f34ee"] | fixed | [{"id":"RHSA-2024:2780","link":"https://access.redhat.com/errata/RHSA-2024:2780"}]
879028 | CVE-2024-27983 | nodejs | redhat:distro:redhat:9 | [{"kind":"rpm-modularity","module":"nodejs:18"}] | < 1:18.20.2-2.module+el9.4.0+21742+692df1ea | rpm | | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:18.20.2-2.module+el9.4.0+21742+692df1ea"] | fixed | [{"id":"RHSA-2024:2779","link":"https://access.redhat.com/errata/RHSA-2024:2779"}]
879029 | CVE-2024-27983 | nodejs | redhat:distro:redhat:9 | [{"kind":"rpm-modularity","module":"nodejs:20"}] | < 1:20.12.2-2.module+el9.4.0+21731+46b5b8a7 | rpm | | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:20.12.2-2.module+el9.4.0+21731+46b5b8a7"] | fixed | [{"id":"RHSA-2024:2853","link":"https://access.redhat.com/errata/RHSA-2024:2853"}]
879030 | CVE-2024-27983 | nodejs | redhat:distro:redhat:9 | [{"kind":"rpm-modularity"}] | < 1:16.20.2-8.el9_4 | rpm | | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:16.20.2-8.el9_4"] | fixed | [{"id":"RHSA-2024:2910","link":"https://access.redhat.com/errata/RHSA-2024:2910"}]
We want to know if this grype output coming is correct with fixed-in version? And whether its coming because of the feed data into grype DB from redhat?
How to reproduce it (as minimally and precisely as possible): scan cyclonedx syft sbom of below nodejs image with nodejs component of 18.20.4 version with grype:
Issue coming for this image:
syft registry.access.redhat.com/ubi9/nodejs-18-minimal:1-129.1726695172 -o cyclonedx-json=syft_cyclonedx.json
grype sbom:syft_cyclonedx.json -o table=grype_output.txt
Correct data coming for below image:
syft registry.access.redhat.com/ubi9/nodejs-18-minimal:1-113.1714664725 -o cyclonedx-json=syft_cyclonedx.json
grype sbom:syft_cyclonedx.json -o table=grype_output.txt
Environment:
NAME="Red Hat Enterprise Linux"
VERSION="8.10 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.10"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.10 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8"
BUG_REPORT_URL="https://issues.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.10
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.10"
The text was updated successfully, but these errors were encountered: