8000 Grype stopped reporting vulnerabilities after upgrade · Issue #2608 · anchore/grype · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Grype stopped reporting vulnerabilities after upgrade #2608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
RPGillespie6 opened this issue Apr 21, 2025 · 2 comments · Fixed by #2610
Closed

Grype stopped reporting vulnerabilities after upgrade #2608

RPGillespie6 opened this issue 8000 Apr 21, 2025 · 2 comments · Fixed by #2610
Assignees
@willmurphyscode
Labels
bug Something isn't working

Comments

@RPGillespie6
Copy link
RPGillespie6 commented Apr 21, 2025
edited
Loading

What happened:
Upgrading grype from v0.87 --> v0.91 made some long standing vulnerabilities suddenly disappear.

grype v0.87:

$ grype87 sample.spdx.json 
 ✔ Scanned for vulnerabilities     [2 vulnerability matches]  
   ├── by severity: 0 critical, 2 high, 0 medium, 0 low, 0 negligible
   └── by status:   2 fixed, 0 not-fixed, 0 ignored 
[0000]  WARN attempted CPE search on Newtonsoft.Json, which has no CPEs. Consider re-running with --add-cpes-if-none
[0000]  WARN attempted CPE search on Npgsql, which has no CPEs. Consider re-running with --add-cpes-if-none
NAME             INSTALLED  FIXED-IN  TYPE            VULNERABILITY        SEVERITY 
Newtonsoft.Json  12.0.3     13.0.1    UnknownPackage  GHSA-5crp-9r3c-p9vr  High      
Npgsql           2.2.7      4.0.14    UnknownPackage  GHSA-x9vc-6hfv-hg8c  High
A newer version of grype is available for download: 0.91.0 (installed version is 0.87.0)

After updating to v0.91:

$ grype sample.spdx.json
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored

The SBOM didn't change, I only upgraded grype.

How to reproduce it (as minimally and precisely as possible):

Save this as sample.spdx.json:

{
    "files": [],
    "packages": [
        {
            "name": "Newtonsoft.Json",
            "SPDXID": "SPDXRef-Package-44C7E1BDBEAABC00BC5C0BE25DFBEF59EF61AC52BD3DA22F5DB3FE5C61C844EB",
            "downloadLocation": "NOASSERTION",
            "filesAnalyzed": false,
            "licenseConcluded": "MIT",
            "licenseDeclared": "MIT",
            "copyrightText": "NOASSERTION",
            "versionInfo": "12.0.3",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:nuget/Newtonsoft.Json@12.0.3"
                }
            ],
            "supplier": "Organization: James Newton-King"
        },
        {
            "name": "Npgsql",
            "SPDXID": "SPDXRef-Package-AA2FA74197A576EE788F127AE2FD642AB7B03579A6D8CAAD9BE6FAEEFA6081F4",
            "downloadLocation": "NOASSERTION",
            "filesAnalyzed": false,
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "NOASSERTION",
            "copyrightText": "NOASSERTION",
            "versionInfo": "2.2.7",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:nuget/Npgsql@2.2.7"
                }
            ],
            "supplier": "Organization: Francisco Figueiredo Jr."
        }
    ],
    "externalDocumentRefs": [],
    "relationships": [],
    "spdxVersion": "SPDX-2.2",
    "dataLicense": "CC0-1.0",
    "SPDXID": "SPDXRef-DOCUMENT",
    "name": "Product 2.4.6",
    "documentNamespace": "https://spdx.org/spdxdocs/sbom-tool-2.2.1-0467e08b-85b0-4bf3-921d-7454f462d024/Product/2.4.6/CTBcGFODskCMEwjTy59o2A",
    "creationInfo": {
        "created": "2024-01-18T18:35:48Z",
        "creators": [
            "Organization: Rad",
            "Tool: Microsoft.SBOMTool-2.2.1"
        ]
    },
    "documentDescribes": [
        "SPDXRef-RootPackage"
    ]
}

Run it through grype v0.87 vs v0.91 and note that the former detects the vulnerability while the latter reports none.

SBOM was generated with Microsoft's SBOMTool and then pared down to a minimal example for the issue.

Edit: After some trial and error, it appears the breaking change is v0.87 -> v0.88:

user@dsilicon:~/Downloads$ grype87 sample.spdx.json 
 ✔ Scanned for vulnerabilities     [2 vulnerability matches]  
   ├── by severity: 0 critical, 2 high, 0 medium, 0 low, 0 negligible
   └── by status:   2 fixed, 0 not-fixed, 0 ignored 
[0000]  WARN attempted CPE search on Newtonsoft.Json, which has no CPEs. Consider re-running with --add-cpes-if-none
[0000]  WARN attempted CPE search on Npgsql, which has no CPEs. Consider re-running with --add-cpes-if-none
NAME             INSTALLED  FIXED-IN  TYPE            VULNERABILITY        SEVERITY 
Newtonsoft.Json  12.0.3     13.0.1    UnknownPackage  GHSA-5crp-9r3c-p9vr  High      
Npgsql           2.2.7      4.0.14    UnknownPackage  GHSA-x9vc-6hfv-hg8c  High
A newer version of grype is available for download: 0.91.0 (installed version is 0.87.0)

user@dsilicon:~/Downloads$ grype88 sample.spdx.json 
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored 
No vulnerabilities found
@RPGillespie6 RPGillespie6 added the bug Something isn't working label Apr 21, 2025
@sschakraborty
Copy link

I too noticed the same problem in Grype and a search landed me to this issue. Seems like Grype versions 0.88.0 and above are not reporting several existing critical severity issues including the ones from Log4j 1.2.17 library. I'm not sure if this is related but Grype had a change in DB they're pointing to starting from that version:

With #2126 the listing file which hosts the URLs of databases to download has migrated from https://toolbox-data.anchore.io/grype/databases/listing.json to https://grype.anchore.io/databases/v6/latest.json.

@popey
Copy link
Contributor
popey commented Apr 23, 2025

@RPGillespie6 Thank you for the bug report. Sorry to hear grype appears to be reporting incorrect results.

Confirmed it here:

$ export GRYPE_CHECK_FOR_APP_UPDATE=False
$ for gryperel in v0.87 v0.88.0 v0.89.0 v0.89.1 v0.90.0 v0.91.0; do ./"$gryperel"/grype --version; ./"$gryperel"/grype -q ./sample.spdx.json | egrep 'GHSA-5crp-9r3c-p9vr|GHSA-x9vc-6hfv-hg8c'; done
grype 0.87.0
Newtonsoft.Json  12.0.3     13.0.1    UnknownPackage  GHSA-5crp-9r3c-p9vr  High
Npgsql           2.2.7      4.0.14    UnknownPackage  GHSA-x9vc-6hfv-hg8c  High
grype 0.88.0
grype 0.89.0
grype 0.89.1
grype 0.90.0
grype 0.91.0

@willmurphyscode willmurphyscode self-assigned this Apr 23, 2025
@willmurphyscode willmurphyscode moved this to In Progress in OSS Apr 23, 2025
@willmurphyscode willmurphyscode mentioned this issue Apr 23, 2025
Merged
@willmurphyscode willmurphyscode moved this from In Progress to In Review in OSS Apr 23, 2025
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Apr 23, 2025
@BrewTestBot BrewTestBot mentioned this issue Apr 24, 2025
Merged
@willmurphyscode willmurphyscode mentioned this issue Apr 25, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@willmurphyscode willmurphyscode

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: use package language to search when type is unknown anchore/grype
4 participants
@popey @RPGillespie6 @willmurphyscode @sschakraborty
0