search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.71k stars 569 forks source link

False positive for ruby gem webrick #1405

Open sparrowt opened 1 year ago

sparrowt commented 1 year ago

What happened: Grype is reporting a (very old) vulnerability in the webrick ruby gem despite running a version with the fix:

> docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock -v /var/tmp/grype_cache:/var/tmp/ -e GRYPE_DB_CACHE_DIR=/var/tmp/ anchore/grype:v0.64.2 fluent/fluentd:v1.16.0-1.0
 ✔ Vulnerability DB                [no update available]
 ✔ Pulled image
 ✔ Loaded image                                                                                                                                                              fluent/fluentd:v1.16.0-1.0
 ✔ Parsed image                                                                                                                 sha256:caf29af93836d148c852bc4c7db0aa9dcf7b01269bdeca1e0bee721e8ccea31a
 ✔ Cataloged packages              [129 packages]
 ✔ Scanned for vulnerabilities     [46 vulnerabilities]
   ├── 2 critical, 21 high, 19 medium, 0 low, 0 negligible (4 unknown)
   └── 18 fixed
NAME                   INSTALLED         FIXED-IN          TYPE  VULNERABILITY        SEVERITY
...
webrick                1.7.0                               gem   CVE-2008-1145        Medium
webrick                1.7.0             2.2.8             gem   GHSA-369m-2gv6-mw28  High

https://github.com/advisories/GHSA-369m-2gv6-mw28 says the patched version is 1.4.0 so 1.7.0 should be fine.

However grype says it is 'Fixed in' 2.2.8 which doesn't make sense because there is no version 2.2.8 of the webrick gem https://github.com/ruby/webrick/releases / https://rubygems.org/gems/webrick

This seems like an FP, possibly because the CPEs on https://nvd.nist.gov/vuln/detail/CVE-2017-10784 seem to be referring to ruby versions (where 2.2.8 would be the first patched one AFAICS) which grype has then compared against the version of webrick itself.

What you expected to happen: No vulnerability to be reported for Ruby Gem webrick at version 1.7.0

How to reproduce it (as minimally and precisely as possible): As above:

docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock -v /var/tmp/grype_cache:/var/tmp/ -e GRYPE_DB_CACHE_DIR=/var/tmp/ anchore/grype:v0.64.2 fluent/fluentd:v1.16.0-1.0

Anything else we need to know?:

Environment:

shpml commented 1 year ago

False positive upstream.

https://github.com/github/advisory-database/pull/2526 https://github.com/github/advisory-database/pull/2533

sparrowt commented 1 year ago

Ah fab, thank you 👍 out of interest how long does it normally take (now that upstream PR was merged) for it to make its way into the grype vuln db?

shpml commented 1 year ago

No idea, I'm using a different vulnerability scanner that uses the same DB and it seems to be fixed there.

westonsteimel commented 1 year ago

I did also contact NVD regarding https://nvd.nist.gov/vuln/detail/CVE-2008-1145 to try and get the CPE updated to something more like on https://nvd.nist.gov/vuln/detail/CVE-2009-4492, but that may take some time for them to process

westonsteimel commented 1 year ago

grype databases typically get updated and published once per day by the following workflows

We do currently have an issue with the automated publishing pipeline that we're working on, but we manually published an update yesterday so the GHSA record update should already be available

sparrowt commented 1 year ago

Thanks https://github.com/advisories/GHSA-369m-2gv6-mw28 is no longer incorrectly flagged 👍

I guess we'll leave this open for https://nvd.nist.gov/vuln/detail/CVE-2008-1145 while that's still wrongly flagged

NAME                   INSTALLED         FIXED-IN          TYPE  VULNERABILITY        SEVERITY
...
ruby-webrick           1.7.0-r1                            apk   CVE-2008-1145        Medium
...
webrick                1.7.0                               gem   CVE-2008-1145        Medium
spiffcs commented 1 year ago

We can tell from the description that this is a FP, but the cpe we're generating compared with what is in NVD is correct

NVD: cpe:2.3:a:ruby-lang:webrick:-:*:*:*:*:ruby:*:* Grype: cpe:2.3:a:ruby-lang:webrick:1.7.0:*:*:*:*:*:*:*

In the above case - is used in the version selector and weston has contacted NVD about getting better CPE for this.

One more final thought - we are moving away from CPE matching in the near future and this issue should be solved once we move to the PURL/GHSA model.