8000 Grype results set a vulnerability as its own related vulnerability · Issue #2514 · anchore/grype · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Grype results set a vulnerability as its own related vulnerability #2514

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
luhring opened this issue Mar 7, 2025 · 2 comments · Fixed by #2515
Closed

Grype results set a vulnerability as its own related vulnerability #2514

luhring opened this issue Mar 7 8000 , 2025 · 2 comments · Fixed by #2515
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@luhring
Copy link
Contributor
luhring commented Mar 7, 2025

What happened:

Starting in v0.88.0, Grype seems to set a vulnerability as its own related vulnerability. In other words, within a match, the vulnerability (and all of its data) is repeated within the relatedVulnerabilities array.

This seems like a material change in semantics of the output. I'm not sure if this was intentional a lot, but it's strange on the consumer end. We'll now need to filter out related vulnerabilities that appear to be duplicates of the main record.

It also means that result data gets a lot larger because of all the redundancy.

What you expected to happen:

Related vulnerabilities should only be vulnerabilities distinct from (but of course, upstream records or aliases of) the primary vulnerability.

How to reproduce it (as minimally and precisely as possible):

v0.87.0

$ grype -q alpine:3.13 -o json | jq '.matches | first | {vulnerability, relatedVulnerabilities}'
{
  "vulnerability": {
    "id": "CVE-2022-48174",
    "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174",
    "namespace": "nvd:cpe",
    "severity": "Critical",
    "urls": [
      "https://bugs.busybox.net/show_bug.cgi?id=15216",
      "https://bugs.busybox.net/show_bug.cgi?id=15216",
      "https://security.netapp.com/advisory/ntap-20241129-0001/"
    ],
    "description": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.",
    "cvss": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "version": "3.1",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "metrics": {
          "baseScore": 9.8,
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        },
        "vendorMetadata": {}
      }
    ],
    "fix": {
      "versions": [],
      "state": "unknown"
    },
    "advisories": []
  },
  "relatedVulnerabilities": []
}

v0.88.0 and v0.89.0

$ grype -q alpine:3.13 -o json | jq '.matches | first | {vulnerability, relatedVulnerabilities}'
{
  "vulnerability": {
    "id": "CVE-2022-48174",
    "dataSource": "nvd",
    "namespace": "nvd:cpe",
    "severity": "Critical",
    "urls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2022-48174",
      "https://bugs.busybox.net/show_bug.cgi?id=15216",
      "https://bugs.busybox.net/show_bug.cgi?id=15216",
      "https://security.netapp.com/advisory/ntap-20241129-0001/"
    ],
    "description": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.",
    "cvss": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "version": "3.1",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "metrics": {
          "baseScore": 9.8,
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        },
        "vendorMetadata": {}
      }
    ],
    "epss": [
      {
        "cve": "CVE-2022-48174",
        "epss": 0.00264,
        "percentile": 0.6701,
        "date": "2025-03-06"
      }
    ],
    "fix": {
      "versions": [],
      "state": ""
    },
    "advisories": []
  },
  "relatedVulnerabilities": [
    {
      "id": "CVE-2022-48174",
      "dataSource": "nvd",
      "namespace": "nvd:cpe",
      "severity": "Critical",
      "urls": [
        "https://nvd.nist.gov/vuln/detail/CVE-2022-48174",
        "https://bugs.busybox.net/show_bug.cgi?id=15216",
        "https://bugs.busybox.net/show_bug.cgi?id=15216",
        "https://security.netapp.com/advisory/ntap-20241129-0001/"
      ],
      "description": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.",
      "cvss": [
        {
          "source": "nvd@nist.gov",
          "type": "Primary",
          "version": "3.1",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "metrics": {
            "baseScore": 9.8,
            "exploitabilityScore": 3.9,
            "impactScore": 5.9
          },
          "vendorMetadata": {}
        }
      ],
      "epss": [
        {
          "cve": "CVE-2022-48174",
          "epss": 0.00264,
          "percentile": 0.6701,
          "date": "2025-03-06"
        }
      ]
    }
  ]
}

Anything else we need to know?:

Environment:

  • Output of grype version:
$ grype version
Application:         grype
Version:             [not provided]
BuildDate:           [not provided]
GitCommit:           [not provided]
GitDescription:      [not provided]
Platform:            darwin/arm64
GoVersion:           go1.24.1
Compiler:            gc
Syft Version:        v1.20.0
Supported DB Schema: 6
$ git status
HEAD detached at v0.88.0
nothing to commit, working tree clean
  • OS (e.g: cat /etc/os-release or similar): macOS
@luhring luhring added the bug Something isn't working label Mar 7, 2025
@luhring luhring changed the title Grype results sets a vulnerability as its own related vulnerability Grype results set a vulnerability as its own related vulnerability Mar 7, 2025
@kzantow kzantow moved this to Ready in OSS Mar 7, 2025
@kzantow
Copy link
Contributor
kzantow commented Mar 7, 2025

I agree having the same vulnerability as a "related" vulnerability seems wrong.

@kzantow kzantow self-assigned this Mar 7, 2025
@kzantow kzantow moved this from Ready to In Progress in OSS Mar 7, 2025
luhring added a commit to luhring/wolfictl that referenced this issue Mar 7, 2025
@luhring
fix(scan): dedupe aliases from rel vulnerabilities
f702dfa 
Caused by anchore/grype#2514

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
@kzantow kzantow mentioned this issue Mar 7, 2025
Merged
@kzantow kzantow moved this from In Progress to In Review in OSS Mar 7, 2025
@kzantow
Copy link
Contributor
kzantow commented Mar 7, 2025

Fixed! #2515

@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Mar 7, 2025
69AF
@BrewTestBot BrewTestBot mentioned this issue Mar 13, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: exclude self from related vulnerability list anchore/grype
2 participants
@kzantow @luhring
0