Open lmco-seth opened 5 months ago
Hi @lmco-seth, thanks for the report! It looks like we probably need to improve the CycloneDX importer to handle this case. We will put this in our backlog for a fix.
Thank you! Just wanted to make sure it was known.
I have the same issue when it report lodash@4.14.202 vulnerability instead of @types/lodash@4.14.202 on NPM
We are experiencing the same issue with @sentry/electron@4.24.0 being reported as electron@4.24.0.
What happened:
Grype reports a Vulnerability for
colors
when the package in the SBOM is@colors/colors
. The SBOM is a demo sbom from the cyclonedx-node-npm project. juice-shop example.This appears to be caused by Grype ignoring the
group
entry in the SBOM as the NPMscope
is stored ingroup
parameter.Running
grype --output table <demo-bom.json>
produces --GHSA-gh88-3pxp-6fm8 is for colors not @colors/colors
What you expected to happen:
I would expect Grype to identify the package as @colors/colors and provide vulnerabilities for this package. If I manually prepend the
group
field to thename
Grype no longer reportsGHSA-gh88-3pxp-6fm8
.How to reproduce it (as minimally and precisely as possible):
grype --output table <demo-bom.json>
colors
in the vulnerabilities"name": "colors"
to"name": "@colors/colors"
grype --output table <demo-bom.json>
colors
Anything else we need to know?:
This format from the cyclonedx demo appears to the be the intended format by the CycloneDX spec and is supported by the PURL spec.
Environment:
grype version
:cat /etc/os-release
or similar):