8000 CPE search failed when considering target software for unknown package type · Issue #2434 · anchore/grype · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

CPE search failed when considering target software for unknown package type #2434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
asadjaffar opened this issue Feb 11, 2025 · 3 comments · Fixed by #2438
Closed

CPE search failed when considering target software for unknown package type #2434

asadjaffar opened this issue Feb 11, 2025 · 3 comments · Fixed by #2438
Labels
bug Something isn't working

Comments

@asadjaffar
Copy link

Hello, I am using grype for scanning a sbom: "url": ["https://owasp.org/"]
},
"component": {
"bom-ref": "REF-juiceshop",
"type": "application",
"name": "OWASP Dependency-Track",
"version": "4.12.3",
"author": "OWASP",
"publisher": "OWASP",
"supplier": {"name": "OWASP"},
"copyright": "Apache 2.0"
},
"licenses": [ {"license": {"id": "CC-BY-4.0"} } ],
"properties": [
{
"name": "comment",
"value": "Minimal SBOM for research and education"
}
]
},
"components": [
{
"bom-ref": "REF-lucene",
"type": "library",
"name": "lucene",
"version" : "8.11.4",
"cpe": "cpe:2.3:a:apache:lucene:8.11.4:::::::*"
}
],
"dependencies": [
{
"ref": "REF-juiceshop",
"dependsOn": ["REF-lucene"]
}
],
"vulnerabilities": []
}

but grype shows no cve when scanned, as i know that cpe tracks to cve. any idea why I am not able to get a result out of this? I already tried turning cpe for java true in config but still it dont report a cve.
@popey
Copy link
Contributor
popey commented Feb 11, 2025

HI there! Thanks for the issue. How was the SBOM created? What's pasted above doesn't look like a full SBOM, just a snippet. Can you share the entire SBOM file?

@asadjaffar
Copy link
Author
asadjaffar commented Feb 11, 2025
edited by popey
Loading 
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:582f1a2e-79bf-4689-b2e6-7d4729ea9358",
  "version": 1,
  "metadata": {
      "timestamp": "2024-01-29T12:51:10Z",
      "tools": {
  },
  "authors": [
    {
      "name": "Martin Rosso",
      "email": "martin.rosso@unipd.it"
    }
  ],
  "manufacturer": {
    "name": "Universita degli Studi di Padova, Dipartimento di Matematica",
    "address": {
      "country": "Italy",
      "locality": "Padua"
    },
    "url": ["https://www.math.unipd.it/"]
  },
  "supplier": {
    "name": "OWASP",
    "url": ["https://owasp.org/"]
  },
  "component": {
    "bom-ref": "REF-juiceshop",
    "type": "application",
    "name": "OWASP Juice Shop",
    "version": "14.3.0",
    "author": "OWASP",
    "publisher": "OWASP",
    "supplier": {"name": "OWASP"},
    "copyright": "MIT"
    },
    "licenses": [ {"license": {"id": "CC-BY-4.0"} } ],
    "properties": [
      {
        "name": "comment",
        "value": "Minimal SBOM for research and education"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "REF-multer",
      "type": "library",
      "name": "multer",
      "version": "1.4.2"
    },
    {
        "bom-ref": "REF-dicer",
        "type": "library",
        "name": "dicer",
        "version" : "0.3.1",
        "cpe": "cpe:2.3:a:dicer_project:dicer:0.3.1:*:*:*:*:node.js:*:*"
    }
  ],
  "dependencies": [
	  {
      "ref": "REF-juiceshop",
      "dependsOn": ["REF-multer"]
    },
    {
      "ref": "REF-multer",
      "dependsOn": ["REF-dicer"]
    }
  ],
  "vulnerabilities": []
}

@popey
Copy link
Contributor
popey commented Feb 11, 2025

Thanks, I see that's in nvd and has CVE-2024-24434 assigned.

Grype knows about this CVE.

grype db search CVE-2022-24434
ID              PACKAGE NAME  NAMESPACE  VERSION CONSTRAINT
CVE-2022-24434  dicer         nvd:cpe    none (unknown)

I don't know why it doesn't find it.

 grype bom.json
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
[0000]  WARN attempted CPE search on OWASP Juice Shop, which has no CPEs. Consider re-running with --add-cpes-if-none
[0000]  WARN attempted CPE search on multer, which has no CPEs. Consider re-running with --add-cpes-if-none
No vulnerabilities found

@westonsteimel westonsteimel mentioned this issue Feb 11, 2025
Merged
@github-project-automation github-project-automation bot moved this to Done in OSS Feb 11, 2025
@wagoodman wagoodman changed the title cpe search failed CPE search failed when considering target software for unknown package type Mar 4, 2025
@wagoodman wagoodman added the bug Something isn't working label Mar 5, 2025
@BrewTestBot BrewTestBot mentioned this issue Mar 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: exclude unknown packages from CPE target software component filter logic anchore/grype
3 participants
@wagoodman @popey @asadjaffar
0