8000 Various false positives starting with 0.91.1 · Issue #2618 · anchore/grype · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Various false positives starting with 0.91.1 #2618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lazka opened this issue Apr 24, 2025 · 5 comments · Fixed by #2621
Closed

Various false positives starting with 0.91.1 #2618

lazka opened this issue Apr 24, 2025 · 5 comments · Fixed 8000 by #2621
Assignees
@willmurphyscode
Labels
bug Something isn't working

Comments

@lazka
Copy link
lazka commented Apr 24, 2025
edited
Loading

What happened:

It matches CVEs that are assigned to npm packages that happen to have the same name as system packages.

What you expected to happen:

It not doing that (I control the SBOM generation, so maybe I'm doing something wrong?)

How to reproduce it (as minimally and precisely as possible):

This is one example, I have 7 more libraries that are affected by the same issue.

{
  "components": [
    {
      "cpe": "cpe:/a:gnu:libidn2:2.3.8",
      "name": "libidn2",
      "type": "library",
      "version": "2.3.8"
    }
  ],
  "serialNumber": "urn:uuid:58138ce5-3e98-4cbd-bb27-ea5dcbf48170",
  "version": 1,
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5"
}

With 0.91.1 (broken):

$ ./grype.exe sbom.cdx.json
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 1 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 1 not-fixed, 0 ignored
NAME     INSTALLED  FIXED-IN  TYPE            VULNERABILITY        SEVERITY
libidn2  2.3.8                UnknownPackage  GHSA-j6m4-68hc-mqq9  Critical

With 0.91.0 (working):

$ ./grype_old.exe sbom.cdx.json
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities found
A newer version of grype is available for download: 0.91.1 (installed version is 0.91.0)
@lazka lazka added the bug Something isn't working label Apr 24, 2025
@lazka lazka mentioned this issue Apr 24, 2025
Merged
@lazka
Copy link
Author
lazka commented Apr 24, 2025
edited
Loading

A workaround I found was adding this to all components that don't have a PURL (otherwise grype ignores the PURL, which leads to false negatives):

      "properties": [
        {
          "name": "syft:package:type",
          "value": "binary"
        }
      ],

edit: I implemented this workaround here now.

@willmurphyscode willmurphyscode self-assigned this Apr 24, 2025
@willmurphyscode willmurphyscode moved this to Ready in OSS Apr 24, 2025
@lazka
Copy link
Author
lazka commented Apr 25, 2025

I noticed that without any CPE it also matches now, vs it didn't before:

{
  "components": [
    {
      "name": "libidn2",
      "type": "library",
      "version": "1.0.0"
    }
  ],
  "serialNumber": "urn:uuid:58138ce5-3e98-4cbd-bb27-ea5dcbf48170",
  "version": 1,
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5"
}

That might be wanted behavior, not sure. Just mentioning it for completeness.

@willmurphyscode willmurphyscode moved this from Ready to In Progress in OSS Apr 25, 2025
@willmurphyscode
Copy link
Contributor
willmurphyscode commented Apr 25, 2025
edited
Loading

EDIT: sorry, I thought I was investigating a false negative.

You are correct that this is a false positive. I'll figure out why we're matching on it now and weren't before.

@willmurphyscode willmurphyscode mentioned this issue Apr 25, 2025
Merged
@willmurphyscode
Copy link
Contributor

@lazka I believe I have a fix up over at #2621. Would you min sharing some additional examples so I can test those?

Thanks again for the clear and reproducible issue 😄
8000

@github-project-automation github-project-automation bot moved this from In Progress to Done in OSS Apr 25, 2025
@lazka
Copy link
Author
lazka commented Apr 25, 2025
edited
Loading

Thanks! I can confirm that things are back to how they were with 0.91.0

Not sure if that is still useful, but here are some more I found (the others turned out to have no CPE):

{
  "components": [
    {
      "cpe": "cpe:/a:mozilla:bleach:6.2.0",
      "name": "bleach",
      "type": "library",
      "version": "6.2.0"
    },
    {
      "cpe": "cpe:/a:gnuplot:gnuplot:6.0.2",
      "name": "gnuplot",
      "type": "library",
      "version": "6.0.2"
    },
    {
      "cpe": "cpe:/a:gnu:libidn2:2.3.8",
      "name": "libidn2",
      "type": "library",
      "version": "2.3.8"
    },
    {
      "cpe": "cpe:/a:opencv:opencv:4.11.0",
      "name": "opencv",
      "type": "library",
      "version": "4.11.0"
    },
    {
      "cpe": "cpe:/a:tencent:rapidjson:1.1.0",
      "name": "rapidjson",
      "type": "library",
      "version": "1.1.0"
    }
  ],
  "serialNumber": "urn:uuid:58138ce5-3e98-4cbd-bb27-ea5dcbf48170",
  "version": 1,
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5"
}

For some extra context: We are "misusing" grype to do vuln reporting for a distro, thus the handcrafted SBOMs: https://www.msys2.org/dev/vulnerabilities/

@BrewTestBot BrewTestBot mentioned this issue Apr 25, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@willmurphyscode willmurphyscode

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: only fallback to language if language is non-blank anchore/grype
2 participants
@lazka @willmurphyscode
0