search

anchore / grype-db

Apache License 2.0
36 stars 15 forks source link

Missing db entry for CVE-2023-24329 fix in python-3.11 package, Chainguard Linux #135

Closed jdolitsky closed 1 year ago

jdolitsky commented 1 year ago

Hi there. We are noticing a false positive for CVE-2023-24329 on grype scans against Chainguard Linux images containing the apk package python-3.11.

Upon further investigation, it seems that this fix is picked up for Wolfi, even though both security feeds contain identical fix entries for the package.

For example, running either of the following curl/jq commands

curl -s https://packages.cgr.dev/chainguard/security.json | jq '.packages[] | select(.pkg.name=="python-3.11")'
curl -s https://packages.wolfi.dev/os/security.json | jq '.packages[] | select(.pkg.name=="python-3.11")'

will yield the same result:

{
  "pkg": {
    "name": "python-3.11",
    "secfixes": {
      "0": [
        "CVE-2007-4559",
        "CVE-2023-24329",
        "CVE-2023-36632"
      ],
      "3.0.7-r0": [
        "CVE-2020-10735"
      ]
    }
  }
}

Digging a bit deeper, we downloaded the latest grype db and extracted the vulnerability.db file:

curl -sL -o grype-db.tar.gz https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2023-07-24T01:34:10Z_a4cf9b7d6f30b2d91cde.tar.gz
tar -zxvf grype-db.tar.gz vulnerability.db

Then running the following query with SQLite

sqlite3 vulnerability.db 'select * from vulnerability where id="CVE-2023-24329" and package_name="python-3.11"'

results in just one row (namespace: wolfi:*):

1757928|CVE-2023-24329|python-3.11|wolfi:distro:wolfi:rolling||< 0|apk||[{"id":"CVE-2023-24329","namespace":"nvd:cpe"}]|["0"]|fixed|

Is there any reason why this would be the case? Is it something in vunnel? If you can help us identify the source of the issue, we are happy to contribute a fix. Thanks in advance!

jdolitsky commented 1 year ago

Note, this also the case for python-3.12

jdolitsky commented 1 year ago

Update - It does not appear to be an issue with vunnel producing the data.

Here is the result of running vunnel for both wolfi and chainguard providers and the contents of the records produced:

Generate the data:

rm -rf data
docker run --rm -v $(pwd)/data:/data ghcr.io/anchore/vunnel:latest run wolfi
docker run --rm -v $(pwd)/data:/data ghcr.io/anchore/vunnel:latest run chainguard

Extract the record for CVE-2023-24329 in Wolfi:

sqlite3 data/wolfi/results/results.db 'select record from results where id="wolfi:rolling/CVE-2023-24329"' | jq

Result:

{
  "schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json",
  "identifier": "wolfi:rolling/CVE-2023-24329",
  "item": {
    "Vulnerability": {
      "Severity": "Unknown",
      "NamespaceName": "wolfi:rolling",
      "FixedIn": [
        {
          "Name": "python-3.10",
          "Version": "0",
          "VersionFormat": "apk",
          "NamespaceName": "wolfi:rolling"
        },
        {
          "Name": "python-3.11",
          "Version": "0",
          "VersionFormat": "apk",
          "NamespaceName": "wolfi:rolling"
        },
        {
          "Name": "python-3.12",
          "Version": "0",
          "VersionFormat": "apk",
          "NamespaceName": "wolfi:rolling"
        }
      ],
      "Link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24329",
      "Description": "",
      "Metadata": {},
      "Name": "CVE-2023-24329",
      "CVSS": []
    }
  }
}

Extract the record for CVE-2023-24329 in Chainguard Linux:

sqlite3 data/chainguard/results/results.db 'select record from results where id="chainguard:rolling/CVE-2023-24329"' | jq

Result:

{
  "schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json",
  "identifier": "chainguard:rolling/CVE-2023-24329",
  "item": {
    "Vulnerability": {
      "Severity": "Unknown",
      "NamespaceName": "chainguard:rolling",
      "FixedIn": [
        {
          "Name": "python-3.7",
          "Version": "3.7.17-r0",
          "VersionFormat": "apk",
          "NamespaceName": "chainguard:rolling"
        },
        {
          "Name": "python-3.8",
          "Version": "3.8.17-r0",
          "VersionFormat": "apk",
          "NamespaceName": "chainguard:rolling"
        },
        {
          "Name": "python-3.9",
          "Version": "3.9.17-r0",
          "VersionFormat": "apk",
          "NamespaceName": "chainguard:rolling"
        },
        {
          "Name": "python-3.10",
          "Version": "0",
          "VersionFormat": "apk",
          "NamespaceName": "chainguard:rolling"
        },
        {
          "Name": "python-3.11",
          "Version": "0",
          "VersionFormat": "apk",
          "NamespaceName": "chainguard:rolling"
        },
        {
          "Name": "python-3.12",
          "Version": "0",
          "VersionFormat": "apk",
          "NamespaceName": "chainguard:rolling"
        }
      ],
      "Link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24329",
      "Description": "",
      "Metadata": {},
      "Name": "CVE-2023-24329",
      "CVSS": []
    }
  }
}
jdolitsky commented 1 year ago

appears to be resolved in the 7-25 vuln db: https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2023-07-25T01:34:46Z_0e1a488d5b0cc9b24ee6.tar.gz

closing for now!