Closed
Description
What happened:
It matches CVEs that are assigned to npm packages that happen to have the same name as system packages.
What you expected to happen:
It not doing that (I control the SBOM generation, so maybe I'm doing something wrong?)
How to reproduce it (as minimally and precisely as possible):
This is one example, I have 7 more libraries that are affected by the same issue.
{
"components": [
{
"cpe": "cpe:/a:gnu:libidn2:2.3.8",
"name": "libidn2",
"type": "library",
"version": "2.3.8"
}
],
"serialNumber": "urn:uuid:58138ce5-3e98-4cbd-bb27-ea5dcbf48170",
"version": 1,
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5"
}With 0.91.1 (broken):
$ ./grype.exe sbom.cdx.json
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 1 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 1 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libidn2 2.3.8 UnknownPackage GHSA-j6m4-68hc-mqq9 CriticalWith 0.91.0 (working):
$ ./grype_old.exe sbom.cdx.json
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities found
A newer version of grype is available for download: 0.91.1 (installed version is 0.91.0)Metadata
Metadata
Assignees
Labels
Type
Projects
Status
Done