false negative for cpe:2.3:o:linux:linux_kernel:6.6.16:*:*:*:*:*:*:* #2365
Comments
|
this appears related to : #1560 |
|
Hi @jurassicLizard, thanks for the issue! Currently, Grype's database does not include type |
|
@willmurphyscode thank you for your answer . I have read through the discussion and will post my follow up question there to keep the discussion linear. |
|
Adding |
|
@willmurphyscode Do we know of any possible downsides other than a larger DB? I can think of two easy ones
|
|
@willmurphyscode how technically difficult it is to make :h: and : o : opt-in ? meaning have them in the database but need to be explicitly activated with a disclaimer information about possible extended false positives, it would help us in embedded use grype also in that setting and would not affect anyone else. maybe a separate repo that needs to be explicitly activated (opt-in) ? or just a command-line flag that allows em to be included with the default being o and h are masked ? |
|
We touched on it briefly in the livestream on thursday, essentially with the new DB schema adding CPEs with H and O part values would be cheap and easy. I have a change inbound that updates the DB build command to add these in by default anchore/grype-db#544 . |
|
well done thanks . In practical terms, this means we would need to build the db ourselves with the build command and cannot rely on the standard release. Or did I misunderstand ? Thank you |
|
No need to build and DB locally or try an pull from an alternative source; since the PR landed today, tomorrow you should be able to see Which should see hits vulnerability matching-wise: It looks like there is an issue with the CPE matching logic for this case (we should have several more hits), I'll look into why that is the case today. |
|
Isn't it just that the db search command isn't properly taking into account the version part of the cpe whereas the match is? For instance, CVE-2007-3104 has a constraint of |
|
Maybe, but I think there is a larger problem with how h & o CPEs are being included in the current DB: Though we're pulling in ~10,000 extra CPEs (mostly h CPEs) it seems that we are not parsing the CPE node configuration correctly to consider these CPE parts (I think there is a bias to create packages for a types only for known-node configuration structures). |
|
Well, there's a problem with how I'm looking at this: just because we're including hardware and OS CPEs doesn't mean that we can match on them. In fact we still have a CPE filter in grype DB that still filters based off of primarily application CPEs.
|
|
Thank you ! |
|
Once anchore/grype-db#546 lands, I'll cut a release of grype-db in which case the next DB build will have the additional H & O CPEs. |
What happened:
expected to find vulnerabilities for given cpe : cpe:2.3:o:linux:linux_kernel:6.6.16:::::::* but none were found
What you expected to happen:
expected to receive a list of vulnerabilities that exceed a 1000 for the given cpe cpe:2.3:o:linux:linux_kernel:6.6.16:::::::*
https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Ao%3Alinux%3Alinux_kernel%3A6.6.16%3A*%3A*%3A*%3A*%3A*%3A*%3A*
How to reproduce it (as minimally and precisely as possible):
sbom-false-negatives.json
✔ Scanned for vulnerabilities [0 vulnerability matches] ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible └── by status: 0 fixed, 0 not-fixed, 0 ignored [0000] WARN unable to determine linux distribution: unable to determine distro No vulnerabilities foundPlease also include the grype command and any configuration used.
--> grype sbom:sbom-false-negatives.json
Anything else we need to know?:
I have run the software with hundreds of sboms in that particular format using cpes it always seemed to find vulnerabilities but in this case it didnot which i found peculiar given the quality of previous results
Environment:
grype version:Application: grype
Version: 0.86.1
BuildDate: 2024-12-13T19:32:52Z
GitCommit: 5c4fee7
GitDescription: v0.86.1
Platform: linux/amd64
GoVersion: go1.23.4
Compiler: gc
Syft Version: v1.18.1
Supported DB Schema: 5
cat /etc/os-releaseor similar):NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
Thank you for your support, bom was deliberately truncated from other irrelevant components and grype rerun on the truncated version
The text was updated successfully, but these errors were encountered: