search

anchore / anchore-engine

A service that analyzes docker images and scans for vulnerabilities
Apache License 2.0
1.58k stars 271 forks source link

False detection for the MongoDB Java Client library #541

Open ldath opened 4 years ago

ldath commented 4 years ago

Is this a request for help?: No

Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT

Version of Anchore Engine and Anchore CLI if applicable: docker.io/anchore/anchore-engine:v0.7.2 anchore-cli, version 0.7.2

What happened: False detection in the MongoDB Client library. It is adding CVEs like this https://nvd.nist.gov/vuln/detail/CVE-2020-7921 which are for the MongoDB server to the java MongoDB Client like for example this one: mongodb-driver-sync-4.0.4.jar or to give more details:

 {
            "feed": "nvdv2",
            "feed_group": "nvdv2:cves",
            "fix": "None",
            "nvd_data": [
                {
                    "cvss_v2": {
                        "base_score": 3.5,
                        "exploitability_score": 6.8,
                        "impact_score": 2.9
                    },
                    "cvss_v3": {
                        "base_score": 5.3,
                        "exploitability_score": 1.6,
                        "impact_score": 3.6
                    },
                    "id": "CVE-2020-7921"
                }
            ],
            "package": "mongodb-4.0.4",
            "package_cpe": "cpe:/a:-:mongodb:4.0.4:-:-",
            "package_cpe23": "cpe:2.3:a:-:mongodb:4.0.4:-:-:-:-:-:-:-",
            "package_name": "mongodb",
            "package_path": "/srv/....jar:BOOT-INF/lib/mongodb-driver-core-4.0.4.jar",
            "package_type": "java",
            "package_version": "4.0.4",
            "severity": "Medium",
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7921",
            "vendor_data": [],
            "vuln": "CVE-2020-7921"
        },

What did you expect to happen: Test passing

Any relevant log output from /var/log/anchore: Upper an example for the detected CVE

What docker images are you using: amazoncorretto:8

How to reproduce the issue: Create s simple Java project which is using latest Java MongoDB Client library

Anything else we need to know: No

zhill commented 4 years ago

Hi @ldath. We can take a look at that image and see if that jar provides any additional data we can use to make our java identification heuristics better or if there is a bug being exposed, so thanks for reporting this. We're constantly working to improve the analysis of packages, and java tend to be the most complex since there are so many possible metadata locations, none of which are actually required or enforced by a packaging system.

The best workaround for now is to use a policy whitelist to remove these matches in the policy side so they don't affect the evaluation of the image. See the whitelist docs for details.