d3matt commented 8 months ago

What happened: I'm using syft to generate an sbom from a conan lockfile that grype can parse. Grype is definitely showing CVEs for other packages, but is not showing a known CVE for poco version 1.12.2.

What you expected to happen: I expected grype to show CVE-2023-52389. I did a strings on the latest vulnerability db and it definitely has entries for that CVE.

How to reproduce it (as minimally and precisely as possible): Have a sbom with a poco artifact, I think below is enough, scan it with grype sbom:path/to/file, verify that CVE-2023-52389 is not listed

        {
            "id": "a37410edbefd35aa",
            "name": "poco",
            "version": "1.12.2",
        }

Anything else we need to know?:

Environment:

Output of grype version:

Application:         grype
Version:             0.74.7
BuildDate:           2024-02-26T18:24:14Z
GitCommit:           987238519b8d6e302130ab715f20daed6634da68
GitDescription:      v0.74.7
Platform:            linux/amd64
GoVersion:           go1.21.7
Compiler:            gc
Syft Version:        v0.105.1
Supported DB Schema: 5

OS (e.g: cat /etc/os-release or similar):

NAME="Rocky Linux"
VERSION="9.3 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.3"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"

MinhTriet-Ly commented 8 months ago

We experienced the same issue with zlib/1.3 and expect that the lib appears with this CVE-2023-45853

    {
      "type": "library",
      "bom-ref": "pkg:conan/zlib@1.3%2306023034579559bb64357db3a53f88a4?package-id=d2a08f1cc3405bb7",
      "name": "zlib",
      "version": "1.3#06023034579559bb64357db3a53f88a4",
      "cpe": "cpe:2.3:a:zlib:zlib:1.3\\#06023034579559bb64357db3a53f88a4:*:*:*:*:*:*:*",
      "purl": "pkg:conan/zlib@1.3%2306023034579559bb64357db3a53f88a4",

env:

Application:         grype
Version:             0.74.7
BuildDate:           2024-02-26T18:24:14Z
GitCommit:           987238519b8d6e302130ab715f20daed6634da68
GitDescription:      v0.74.7
Platform:            linux/amd64
GoVersion:           go1.21.7
Compiler:            gc
Syft Version:        v0.105.1
Supported DB Schema: 5

$ grype db status
Built:     2024-03-04 01:24:54 +0000 UTC
Schema:    5
Checksum:  sha256:cbd02283db12e98c1a58ea491eea2cc2b8153da6c2bc65f769ec2831c22c4a45
Status:    valid

d3matt commented 8 months ago

For me at least with zlib 1.2.12, grype gives me:

zlib     1.2.12               conan  CVE-2023-45853  Critical  
zlib     1.2.12               conan  CVE-2022-37434  Critical

Here's my whole zlib entry

        {
            "id": "f93d28eff3f92b87",
            "name": "zlib",
            "version": "1.2.12",
            "type": "conan",
            "foundBy": "conan-cataloger",
            "locations": [
                {
                    "path": "/conan.lock",
                    "accessPath": "/conan.lock",
                    "annotations": {
                        "evidence": "primary"
                    }
                }
            ],
            "licenses": [],
            "language": "c++",
            "cpes": [
                {
                    "cpe": "cpe:2.3:a:zlib:zlib:1.2.12:*:*:*:*:*:*:*",
                    "source": "syft-generated"
                }
            ],
            "purl": "pkg:conan/zlib@1.2.12",
            "metadataType": "c-conan-lock-entry",
            "metadata": {
                "ref": "zlib/1.2.12#b76db676bd992afa93dd18a675323942",
                "package_id": "73358c545f2cc059d262ae03f7923b2f1ec043ed",
                "prev": "b0a12f38c776e9aa74cd7c35fcafd564",
                "options": [
                    {
                        "key": "fPIC",
                        "value": "True"
                    },
                    {
                        "key": "shared",
                        "value": "False"
                    }
                ],
                "context": "host"
            }
        }

MinhTriet-Ly commented 8 months ago

That's right, the CVE-2023-45853 affects both version zlib/1.2.x and zlib/1.3.0. The x-ray scan from Artifactory can detect them but grype not.

tgerla commented 8 months ago

Hi @d3matt and @MinhTriet-Ly, thank you for the report. We'll take a look and see why. Stay tuned!

tgerla commented 8 months ago

Hi @d3matt, can you share the full SBOM you are scanning? Or at least the full record for the poco record in JSON format? I I don't think we quite have enough info to reproduce.

@MinhTriet-Ly, your issue is a separate problem. Could you open a separate issue and attach the full Conan lock file (or a subset that will allow us to reproduce the problem), and we will look into it? We do see a problem with the generated CPE in your case, but we will need to see a full lockfile to reproduce.

Thank you both!

d3matt commented 8 months ago

Here's my whole poco record from the syft generated sbom

        {
            "id": "a37410edbefd35aa",
            "name": "poco",
            "version": "1.12.2",
            "type": "conan",
            "foundBy": "conan-cataloger",
            "locations": [
                {
                    "path": "/conan.lock",
                    "accessPath": "/conan.lock",
                    "annotations": {
                        "evidence": "primary"
                    }
                }
            ],
            "licenses": [],
            "language": "c++",
            "cpes": [
                {
                    "cpe": "cpe:2.3:a:poco:poco:1.12.2:*:*:*:*:*:*:*",
                    "source": "syft-generated"
                }
            ],
            "purl": "pkg:conan/poco@1.12.2",
            "metadataType": "c-conan-lock-entry",
            "metadata": {
                "ref": "poco/1.12.2#e7c1df84b599356a4557f141ce45da68",
                "package_id": "d9f352ce6d7b286040ac7242d2030b19f182701e",
                "prev": "37344549da9654ce8f253cf596bb3904",
                "options": [
                    {
                        "key": "disable_signal_handler",
                        "value": "True"
                    },
                    {
                        "key": "enable_active_record",
                        "value": "deprecated"
                    },
                    {
                        "key": "enable_activerecord",
                        "value": "False"
                    },
                    {
                        "key": "enable_activerecord_compiler",
                        "value": "False"
                    },
                    {
                        "key": "enable_apacheconnector",
                        "value": "False"
                    },
                    {
                        "key": "enable_cppparser",
                        "value": "False"
                    },
                    {
                        "key": "enable_crypto",
                        "value": "True"
                    },
                    {
                        "key": "enable_data",
                        "value": "False"
                    },
                    {
                        "key": "enable_data_mysql",
                        "value": "False"
                    },
                    {
                        "key": "enable_data_odbc",
                        "value": "False"
                    },
                    {
                        "key": "enable_data_postgresql",
                        "value": "False"
                    },
                    {
                        "key": "enable_data_sqlite",
                        "value": "False"
                    },
                    {
                        "key": "enable_encodings",
                        "value": "True"
                    },
                    {
                        "key": "enable_fork",
                        "value": "True"
                    },
                    {
                        "key": "enable_json",
                        "value": "True"
                    },
                    {
                        "key": "enable_jwt",
                        "value": "True"
                    },
                    {
                        "key": "enable_mongodb",
                        "value": "False"
                    },
                    {
                        "key": "enable_net",
                        "value": "True"
                    },
                    {
                        "key": "enable_netssl",
                        "value": "True"
                    },
                    {
                        "key": "enable_pagecompiler",
                        "value": "False"
                    },
                    {
                        "key": "enable_pagecompiler_file2page",
                        "value": "False"
                    },
                    {
                        "key": "enable_pdf",
                        "value": "False"
                    },
                    {
                        "key": "enable_pocodoc",
                        "value": "False"
                    },
                    {
                        "key": "enable_prometheus",
                        "value": "False"
                    },
                    {
                        "key": "enable_redis",
                        "value": "False"
                    },
                    {
                        "key": "enable_sevenzip",
                        "value": "False"
                    },
                    {
                        "key": "enable_util",
                        "value": "True"
                    },
                    {
                        "key": "enable_xml",
                        "value": "True"
                    },
                    {
                        "key": "enable_zip",
                        "value": "True"
                    },
                    {
                        "key": "shared",
                        "value": "True"
                    },
                    {
                        "key": "expat:char_type",
                        "value": "char"
                    },
                    {
                        "key": "expat:shared",
                        "value": "True"
                    },
                    {
                        "key": "openssl:386",
                        "value": "False"
                    },
                    {
                        "key": "openssl:enable_weak_ssl_ciphers",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_aria",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_asm",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_async",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_bf",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_blake2",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_camellia",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_cast",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_chacha",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_cms",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_comp",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_ct",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_deprecated",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_des",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_dgram",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_dh",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_dsa",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_dso",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_ec",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_ecdh",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_ecdsa",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_engine",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_filenames",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_gost",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_hmac",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_idea",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_md4",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_md5",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_mdc2",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_ocsp",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_pinshared",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_rc2",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_rfc3779",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_rmd160",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_rsa",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_seed",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_sha",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_sm2",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_sm3",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_sm4",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_sock",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_srp",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_srtp",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_sse2",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_ssl",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_ssl3",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_stdio",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_tests",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_threads",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_tls1",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_ts",
                        "value": "False"
                    },
                    {
                        "key": "openssl:no_whirlpool",
                        "value": "False"
                    },
                    {
                        "key": "openssl:openssldir",
                        "value": "None"
                    },
                    {
                        "key": "openssl:shared",
                        "value": "True"
                    },
                    {
                        "key": "pcre2:build_pcre2_16",
                        "value": "True"
                    },
                    {
                        "key": "pcre2:build_pcre2_32",
                        "value": "True"
                    },
                    {
                        "key": "pcre2:build_pcre2_8",
                        "value": "True"
                    },
                    {
                        "key": "pcre2:build_pcre2grep",
                        "value": "True"
                    },
                    {
                        "key": "pcre2:grep_support_callout_fork",
                        "value": "True"
                    },
                    {
                        "key": "pcre2:shared",
                        "value": "True"
                    },
                    {
                        "key": "pcre2:support_jit",
                        "value": "False"
                    },
                    {
                        "key": "pcre2:with_bzip2",
                        "value": "False"
                    },
                    {
                        "key": "pcre2:with_zlib",
                        "value": "True"
                    },
                    {
                        "key": "zlib:fPIC",
                        "value": "True"
                    },
                    {
                        "key": "zlib:shared",
                        "value": "False"
                    }
                ],
                "context": "host"
            }
        },

tgerla commented 7 months ago

I think the problem here is that the CPE that we generate for this package is cpe:2.3:a:poco:poco:1.12.2:*:*:*:*:*:*:* but the CPE in the vulnerability database is cpe:2.3:a:pocoproject:poco:*:*:*:*:*:*:*:*

I am not sure why that is or the exact route to fix it, but I will check with the team.

@d3matt, it might be helpful if we had a conan.lock that could reproduce this problem. Do you have one you can give us? Thanks!

d3matt commented 7 months ago

See conan.lock.poco.1.12.2.txt

MinhTriet-Ly commented 7 months ago

Sorry for the late response. @tgerla Yes, you are correct, with our case zlib too. The CPE in syft generated SBOM .json file does affect the result of grype.

I was able to reproduce the problem with a minimal example: https://github.com/MinhTriet-Ly/demo_syft_grype

install

# old syft version that we use 0.87.1
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ~/tmp v0.87.1
# current latest v1.0.1
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin
# install current latest grype 0.74.7
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin

generate grype output


# v0.87.1
~/tmp/syft packages dir:${HOME}/proj/demo_syft_grype/build --scope=AllLayers --catalogers=conan --source-name=demo --output cyclonedx-json=syft-old.json
grype -o json sbom:syft-old.json > grype-old.json

v1.0.1

syft scan dir:${HOME}/proj/demo_zlib/build --scope=AllLayers --select-catalogers=conan --source-name=demo --output cyclonedx-json=syft-new.json grype -o json sbom:syft-new.json > grype-new.json



The old version `syft v0.87.1` produces the CPE on the left side of the image, and `syft v1.01` the right side
![syft_v0 87 1_vs_v1 0 1](https://github.com/anchore/grype/assets/138019682/5a4c4d53-1c56-478c-aa1e-d02d9376e6e9)

anchore / grype

not showing poco CVEs from syft generated sbom #1737

v1.0.1