8000 Dropping group from npm package names leads to false positives · Issue #2554 · anchore/grype · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Dropping group from npm package names leads to false positives #2554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ionimit opened this issue Mar 21, 2025 · 1 comment · Fixed by #2645
Closed

Dropping group from npm package names leads to false positives #2554

ionimit opened this issue Mar 21, 2025 · 1 comment · Fixed by #2645
Assignees
Labels
bug Something isn't working

Comments

@ionimit
Copy link
ionimit commented Mar 21, 2025

What happened:
The SBOM scanner reported many false positive vulnerabilities
What you expected to happen:
Not to report false positives vulnerabilities
How to reproduce it (as minimally and precisely as possible):

Use the following SBOM, all findings are false positive:

poc-sbom.json

grype command:
grype.exe sbom:"C:\path\to\bom.json"

Anything else we need to know?:

The following are identified false positives:

  • gen-mapping - GHSA-8rmg-jf7p-4p22 (actual package is @jridgewell/gen-mapping not gen-mapping)
  • middleware-user-agent - GHSA-7jfr-mfm3-p4mh (actual package is @aws-sdk/middleware-user-agent not middleware-user-agent)
  • node-config-provider - GHSA-p2f3-jr96-8rhf (actual package is @smithy/node-config-provider not node-config-provider)
  • protocol-http - GHSA-p57r-cpw5-9h67 (actual package is @smithy/protocol-http not protocol-http)
  • smithy-client - GHSA-xh9p-w3hh-pqp5 (actual package is @smithy/smithy-client not smithy-client)

Additional misidentified packages that leads to false positive results:

  • @types/jose not jose
  • @types/mime not mime
  • @types/ms not ms
  • @types/request not request
  • @types/tough-cookie not tough-cookie
  • @colors/colors not colors
  • @types/debug not debug
  • @types/ejs not ejs
  • @types/cookiejar not cookiejar
  • @types/jsonwebtoken not jsonwebtoken

Tool Output:

Image

Environment:
Application: grype
Version: 0.89.1
BuildDate: 2025-03-13T20:22:27Z
GitCommit: 718ea30
GitDescription: v0.89.1
Platform: windows/amd64
GoVersion: go1.24.1
Compiler: gc
Syft Version: v1.20.0
Supported DB Schema: 6

@ionimit ionimit added the bug Something isn't working label Mar 21, 2025
@kzantow
Copy link
Contributor
kzantow commented Mar 21, 2025

This appears to be due to not reading the group or using information from the purl to try to construct the best Syft package possible.

@kzantow kzantow moved this to Ready in OSS Mar 21, 2025
@kzantow kzantow self-assigned this May 7, 2025
@kzantow kzantow moved this from Ready to In Progress in OSS May 7, 2025
@kzantow kzantow moved this from In Progress to In Review in OSS May 12, 2025
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS May 12, 2025
@wagoodman wagoodman changed the title SBOM many false positives Dropping group on npm packages leads to false positives May 14, 2025
@wagoodman wagoodman changed the title Dropping group on npm packages leads to false positives Dropping group from npm package names leads to false positives May 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

2 participants
0