Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grype missing vulnerability check for cpe:2.3:a :json:json:20200518 #1230

Closed
farhan0102 opened this issue Apr 11, 2023 · 4 comments
Closed

Grype missing vulnerability check for cpe:2.3:a :json:json:20200518 #1230

farhan0102 opened this issue Apr 11, 2023 · 4 comments
Labels
bug Something isn't working false-negative

Comments

@farhan0102
Copy link

What happened:
This maybe an issue for Syft and not Grype,
Component: maven:org.json:json
CPE Produced: cpe:2.3:a :json:json:20200518:::::::*"
Actual CPE: cpe:2.3:a :json-java_project:json-java:20200518:::::::*

This may look like two separate packages but it isn’t, we can see in the SBOM it is built by stlea_00 which is linked to this repo. Which is referenced in the CVE, and the recommendation is to upgrade to version 20230227. Json.org does reference multiple json libraries under Java it could be using, but the versioning of what we have suggests that this library is the correct one.
What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

  1. downloaded and extracted JDBC Driver from here
  2. ran syft /Users/fahmz/Downloads/SimbaJDBCDriverforGoogleBigQuery42_1.3.0.1001 -o json=bom.json
  3. ran grype sbom:/Users/fahmz/Downloads/SimbaJDBCDriverforGoogleBigQuery42_1.3.0.1001/bom.json

Anything else we need to know?:

Environment:

  • Output of grype version:
    Application: grype
    Version: 0.61.0
    Syft Version: v0.76.0
    BuildDate: 2023-04-04T15:11:17Z
    GitCommit: d8c0c08
    GitDescription: v0.61.0
    Platform: darwin/arm64
    GoVersion: go1.19.7
    Compiler: gc
    Supported DB Schema: 5

  • OS (e.g: cat /etc/os-release or similar):
    ProductName: macOS
    ProductVersion: 13.3
    BuildVersion: 22E252
@farhan0102 farhan0102 added the bug Something isn't working label Apr 11, 2023
@farhan0102 farhan0102 changed the title Grype missing vulnerability check for cpe:2.3:a:json:json:20200518 Grype missing vulnerability check for cpe:2.3:a :json:json:20200518 Apr 12, 2023
@tgerla tgerla added this to OSS Apr 13, 2023
@tgerla
Copy link
Contributor

tgerla commented Apr 13, 2023

Hi @farhan0102, thanks for the report. It's our understanding that you are seeing Grype report a false positive for a vulnerability that doesn't actually exist in what you are scanning, because of an incorrect CPE generation, is that correct? Let us know if we are misunderstanding.

@tgerla tgerla moved this to Awaiting Response in OSS Apr 13, 2023
@farhan0102
Copy link
Author

Not quite, it is not a False Positive; the vulnerability does not show up for the CPE generated which means it's being missed. Actual CPE means the one that should be produced.

@westonsteimel
Copy link
Contributor

I've submitted github/advisory-database#2086 to update the affected packages in GitHub which we'll pull in and match on once they update. CPE-based matching will always be brittle because syft is always essentially guessing what the CPE for a package may be.

@tgerla
Copy link
Contributor

tgerla commented Jun 22, 2023

I believe this issue can be closed now that the advisory database has been updated.

@tgerla tgerla closed this as not planned Won't fix, can't repro, duplicate, stale Jun 22, 2023
@github-project-automation github-project-automation bot moved this from Awaiting Response to Done in OSS Jun 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-negative
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tgerla @westonsteimel @farhan0102