8000 grype pkg:golang/k8s.io/ingress-nginx@v1.11.2 does not show cve · Issue #2580 · anchore/grype · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

grype pkg:golang/k8s.io/ingress-nginx@v1.11.2 does not show cve #2580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
goatwu1993 opened this issue Apr 7, 2025 · 4 comments · Fixed by #2586
Closed

grype pkg:golang/k8s.io/ingress-nginx@v1.11.2 does not show cve #2580

8000 goatwu1993 opened this issue Apr 7, 2025 · 4 comments · Fixed by #2586
Assignees
@spiffcs
Labels
bug Something isn't working

Comments

@goatwu1993
Copy link
Contributor

What happened:

grype 'pkg:golang/k8s.io/ingress-nginx@v1.11.2' -vvv
[0000]  INFO grype version: 0.91.0
[0000] DEBUG config:
  log:
      quiet: false
      level: trace
      file: ""
  dev:
      profile: none
  output: []
  file: ""
  pretty: false
  distro: ""
  add-cpes-if-none: false
  output-template-file: ""
  check-for-app-update: true
  only-fixed: false
  only-notfixed: false
  ignore-states: ""
  platform: ""
  search:
      scope: squashed
      unindexed-archives: false
      indexed-archives: true
  ignore: []
  exclude: []
  external-sources:
      enable: false
      maven:
          search-upstream: true
          base-url: https://search.maven.org/solrsearch/select
          rate-limit: 300ms
  match:
      java:
          using-cpes: false
      jvm:
          using-cpes: true
      dotnet:
          using-cpes: false
      golang:
          using-cpes: false
          always-use-cpe-for-stdlib: true
          allow-main-module-pseudo-version-comparison: false
      javascript:
          using-cpes: false
      python:
          using-cpes: false
      ruby:
          using-cpes: false
      rust:
          using-cpes: false
      stock:
          using-cpes: true
  fail-on-severity: ""
  registry:
      insecure-skip-tls-verify: false
      insecure-use-http: false
      auth: []
      ca-cert: ""
  show-suppressed: false
  by-cve: false
  name: ""
  default-image-pull-source: ""
  vex-documents: []
  vex-add: []
  match-upstream-kernel-headers: false
  db:
      cache-dir: /Users/peter_wu/Library/Caches/grype/db
      update-url: https://grype.anchore.io/databases
      ca-cert: ""
      auto-update: true
      validate-by-hash-on-start: true
      validate-age: true
      max-allowed-built-age: 120h0m0s
      require-update-check: false
      update-available-timeout: 30s
      update-download-timeout: 5m0s
      max-update-check-frequency: 2h0m0s
  exp: {}
  dev:
      db:
          debug: false
[0000] DEBUG gathering packages
[0000] DEBUG loading DB
[0000] TRACE interpreting input as one or more PURLs input=pkg:golang/k8s.io/ingress-nginx@v1.11.2
[0000] DEBUG checking for available database updates
[0000] DEBUG no new grype application update available
[0001] DEBUG existing database is older than candidate update, using update... candidate=2025-04-06T04:08:33Z delta=96h1m20s existing=2025-04-02T04:07:13Z
[0001] DEBUG database update available: DB(version=v6.0.2 built=2025-04-06T04:08:33Z)
[0001]  INFO downloading new vulnerability DB
[0026] DEBUG obtained vulnerability DB archive url=https://grype.anchore.io/databases/v6/vulnerability-db_v6.0.2_2025-04-06T01:29:53Z_1743912513.tar.zst?checksum=sha256%3A3cd724adf89aecf63a74ceeb0d5ec8cd16e301a28731979151aad2a4d1c7fc3e
[0026] DEBUG using writable DB statements path=/Users/peter_wu/Library/Caches/grype/grype-db-download2367606303/vulnerability.db
[0026] DEBUG applying DB migrations path=/Users/peter_wu/Library/Caches/grype/grype-db-download2367606303/vulnerability.db
[0066] TRACE captured DB digest digest=xxh64:883f3c778aecec75
[0068] DEBUG moved database directory to activate error=<nil> from=/Users/peter_wu/Library/Caches/grype/grype-db-download2367606303 to=/Users/peter_wu/Library/Caches/grype/db/6
[0068]  INFO updated vulnerability DB from=2025-04-02T04:07:13Z to=2025-04-06T04:08:33Z version=v6.0.2
[0068] TRACE DB rehydration not needed clientHydrationVersion=v6.0.2 currentClientVersion=v6.0.2 currentDBVersion=v6.0.2
[0068] TRACE finding matches against DB
[0068] TRACE adding matcher: deb
[0068] TRACE adding matcher: gem
[0068] TRACE adding matcher: python
[0068] TRACE adding matcher: dotnet
[0068] TRACE adding matcher: rpm
[0068] TRACE adding matcher: java-archive
[0068] TRACE adding matcher: jenkins-plugin
[0068] TRACE adding matcher: npm
[0068] TRACE adding matcher: apk
[0068] TRACE adding matcher: go-module
[0068] TRACE adding matcher: msrc-kb
[0068] TRACE adding matcher: portage
[0068] TRACE adding matcher: rust-crate
[0068] TRACE searching for vulnerability matches package=pkg:golang/k8s.io/ingress-nginx@v1.11.2
[0068] TRACE fetched affected package record distro=none duration=1.452796ms pkg=package(name=ingress-nginx, ecosystem=go-module) records=0 vulns=any
[0068] TRACE attached blob values count=0 duration=302ns
[0068] TRACE attached blob values count=0 duration=50ns
[0068] TRACE fetching all provider records
[0068] TRACE finding matches against available VEX documents
[0068]  INFO found 0 vulnerability matches across 1 packages
[0068] DEBUG   ├── fixed: 0
[0068] DEBUG   ├── ignored: 0 (due to user-provided rule)
[0068] DEBUG   ├── dropped: 0 (due to hard-coded correction)
[0068] DEBUG   └── matched: 0
[0068] DEBUG       ├── unknown: 0
[0068] DEBUG       ├── negligible: 0
[0068] DEBUG       ├── low: 0
[0068] DEBUG       ├── medium: 0
[0068] DEBUG       ├── high: 0
[0068] DEBUG       └── critical: 0
[0068] TRACE fetching all provider records
[0068] TRACE worker stopped component=eventloop
[0068] TRACE signal exit component=eventloop
No vulnerabilities found

What you expected to happen:

CVE-2025-1974 found

How to reproduce it (as minimally and precisely as possible):

grype 'pkg:golang/k8s.io/ingress-nginx@v1.11.2'

Anything else we need to know?:

Environment:

  • Output of grype version:
Application:         grype
Version:             0.91.0
BuildDate:           2025-04-01T15:27:24Z
GitCommit:           Homebrew
GitDescription:      [not provided]
Platform:            darwin/amd64
GoVersion:           go1.24.1
Compiler:            gc
Syft Version:        v1.22.0
Supported DB Schema: 6

  • OS (e.g: cat /etc/os-release or similar):

    macos amd64
@goatwu1993 goatwu1993 added the bug Something isn't working label Apr 7, 2025
@spiffcs
Copy link
Contributor
spiffcs commented Apr 7, 2025

Thanks @goatwu1993! It looks like we have a bug in the package construction from PURL in the search command that's not sending it to the correct query. Taking a look now and will tag a PR here when the fix is in!

@spiffcs spiffcs self-assigned this Apr 7, 2025
@spiffcs spiffcs moved this to In Progress in OSS Apr 7, 2025
@goatwu1993 goatwu1993 changed the title grype pkg:golang/k8s.io/ingress-nginx does not show cve grype pkg:golang/k8s.io/ingress-nginx@v1.11.2 does not show cve Apr 8, 2025
@goatwu1993 goatwu1993 mentioned this issue Apr 9, 2025
Merged
@goatwu1993
Copy link
Contributor Author

@spiffcs I create a pr which seems to fix the issue.

@goatwu1993
Copy link
Contributor Author

@spiffcs i failed to fix it. seems too complicated. do you have any hint or any chance to fix it?

@westonsteimel westonsteimel mentioned this issue Apr 30, 2025
Closed
@spiffcs spiffcs mentioned this issue May 2, 2025
Closed
@spiffcs
Copy link
Contributor
spiffcs commented May 2, 2025

Sorry for the long wait here @goatwu1993.

Let's take the problem and invert it to work backwards from the vulnerability we're trying to locate.

grype db search CVE-2025-1974
VULNERABILITY  PACKAGE                                                     ECOSYSTEM  NAMESPACE                             VERSION CONSTRAINT
CVE-2025-1974  cpe:2.3:a:kubernetes:ingress-nginx:*:*:*:*:go:*             go         nvd:cpe                               < 1.11.5 || >= 1.12.0, < 1.12.1
CVE-2025-1974  cpe:2.3:a:kubernetes:nginx_ingress_controller:*:*:*:*:go:*  go         nvd:cpe                               < 1.11.5 || >= 1.12.0, < 1.12.1
CVE-2025-1974  ingress-nginx-controller-1.10                               apk        chainguard:distro:chainguard:rolling  < 0
CVE-2025-1974  ingress-nginx-controller-1.11                               apk        chainguard:distro:chainguard:rolling  < 1.11.5-r0
CVE-2025-1974  ingress-nginx-controller-1.12                               apk        chainguard:distro:chainguard:rolling  < 1.12.1-r14
CVE-2025-1974  ingress-nginx-controller-1.12                               apk        wolfi:distro:wolfi:rolling            < 1.12.1-r14
CVE-2025-1974  ingress-nginx-controller-fips-1.10                          apk        chainguard:distro:chainguard:rolling  < 0
CVE-2025-1974  ingress-nginx-controller-fips-1.11                          apk        chainguard:distro:chainguard:rolling  < 1.11.5-r0
CVE-2025-1974  ingress-nginx-controller-fips-1.12                          apk        chainguard:distro:chainguard:rolling  < 1.12.1-r0

Let's take a look at its counterpart in the GHSA database

grype db search GHSA-mgvx-rpfc-9mpv
VULNERABILITY        PACKAGE                             ECOSYSTEM  NAMESPACE                             VERSION CONSTRAINT
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-1.10       apk        chainguard:distro:chainguard:rolling  < 0
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-1.11       apk        chainguard:distro:chainguard:rolling  < 1.11.5-r0
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-1.12       apk        chainguard:distro:chainguard:rolling  < 1.12.1-r14
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-1.12       apk        wolfi:distro:wolfi:rolling            < 1.12.1-r14
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-fips-1.10  apk        chainguard:distro:chainguard:rolling  < 0
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-fips-1.11  apk        chainguard:distro:chainguard:rolling  < 1.11.5-r0
GHSA-mgvx-rpfc-9mpv  ingress-nginx-controller-fips-1.12  apk        chainguard:distro:chainguard:rolling  < 1.12.1-r0
GHSA-mgvx-rpfc-9mpv  k8s.io/ingress-nginx                go-module  github:language:go                    <1.11.5
GHSA-mgvx-rpfc-9mpv  k8s.io/ingress-nginx                go-module  github:language:go                    >=1.12.0-beta.0,<1.12.1

So the package name here would be k8s.io/ingress-nginx if we want a hit on the go ecosystem.

k8s.io/ingress-nginx

This is what you provided (correctly) in the PURL.

Unfortunately it looks like grype converts the provided purl to be a package with the name ingress-nginx rather than k8s.io/ingress-nginx

When we take the provided purl we see it's got the components:

Type = {string} "golang"
Namespace = {string} "k8s.io"
Name = {string} "ingress-nginx"
Version = {string} "v1.11.2"

I think this is a fix in the PURL provider when the type is golang where we include both the Namespace and Name as part of the package creation.

I've created a POC branch showing what this could look like here:
#2636

I think I'd like some extra eyes from others on the team just in case this isn't a change in how we construct the database when doing package name searches.

@spiffcs spiffcs moved this from In Progress to In Review in OSS May 2, 2025
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS May 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spiffcs spiffcs

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
2 participants
@goatwu1993 @spiffcs
0