False Positive: CVE-2020-5260 Ruby git-1.11.0-gemspec

[sekveaja]

What happened:

Using Ruby that include git-1.11.0.gemspec, see below info from the log file:

"package": "git-1.11.0",
"package_cpe": "cpe:2.3:a:scott-chacon-and-others:git:1.11.0:*:*:*:*:*:*:*",
"package_cpe23": "cpe:2.3:a:scott-chacon-and-others:git:1.11.0:*:*:*:*:*:*:*",
"package_name": "git",
"package_path": "/opt/logstash/vendor/bundle/jruby/2.6.0/specifications/git-1.11.0.gemspec", 
"package_type": "gem",
"package_version": "1.11.0",
"severity": "High",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5260",

Grype report with CVE-2020-5260 which is related to

 cpe:2.3:a:git:git:*:*:*:*:*:*:*:*  Up to (excluding) 2.17.4,  2.22.0-2.22.3
 cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*         2.1x - 2.26.x

What you expected to happen:

Should not report the above CVE, they are not the same artifact on what is used and what is reported.

How to reproduce it (as minimally and precisely as possible):

Integrate with Ruby version 2.6

Environment:

• Output of grype version: 0.61.1

• OS (e.g: cat /etc/os-release or similar): SLES 15 SP4

[willmurphyscode]

Thanks for the issue! I am trying to investigate this, but I haven't been able to reproduce this false positive. Would you mind providing a link to an image, pinned to a specific digest, that exhibits the false positive? A gist or repo to clone or something would be fine as well.

Integrate with Ruby version 2.6

Based on this, I tried grype ruby:2.6 | grep CVE-2020-5260, but it didn't produce any output. What steps should I use to see this false positive?

[sekveaja]

Hi @willmurphyscode,

It is a custom image, I can only provide indication why it is not pointing to the right information.

On the console from Grype output:

: curl 7.79.1-150400.5.18.1 0:8.0.1-150400.5.23.1 rpm CVE-2023-28322 High git 1.11.0 gem CVE-2020-5260 High <============= git 1.11.0 1.13.0 gem GHSA-pfpr-3463-c6jh High git 1.11.0 1.13.0 gem GHSA-pphf-gfrm-v32r High : On the logfile: "vulnerabilityID": "CVE-2020-5260", "versionConstraint": "< 2.17.4 || >= 2.22.0, < 2.22.3 (unknown)", "cpes": [ "cpe:2.3:a:git:git:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "id": "dd1ec8c8d8da47e", "name": "git", "version": "1.11.0", "type": "gem", "locations": [ { "path": "/opt/logstash/vendor/bundle/jruby/2.6.0/specifications/git-1.11.0.gemspec", "layerID": "sha256:0b0d422fba61d3413f3b346806ad4b03ac4616460ae1ebca0c140485e07a1b6c" }, The logfile indicates that Grype find an issue with git-1.11.0.gemspec and link to CVE-2020-5260. When copy git-1.11.0.gemspec from the container and scan locally, it can't because it is a text format. $ grype ./git-1.11.0.gemspec 1 error occurred: * failed to catalog: unable to decode sbom: unable to identify format It will generate CVE only when it is scanned at the image level for this specific issue. The problem with CVE-2020-5260 is related to Git-Core (version < 2.17.x) in SUSE since we are using that OS. It is completely different between Git 1.11.0 from Gem and Git-Core 2.x.x from SUSE. I believe in this case because of "git" keyword and the version that is below the fixed version of Git-Core, Grype reports wrongly this text file git-1.11.0.gemspec to CVE-2020-5260. I hope, it is an useful input. Regards. Sek