grype not showing fixed in for known CVEs

[d3matt]

What happened: I generated a sbom using syft v1.0.1 and scanned it with grype. Grype correctly showed two critical CVEs for zlib 1.2.12, but doesn't show that these are fixed in version 1.3.

What you expected to happen: I expected to see the FIXED-IN column to show "1.3.0" or similar

How to reproduce it (as minimally and precisely as possible): Use syft to scan the attached conan.lock (attached as a .txt) to generate an sbom then scan it with grype

syft.json conan.lock.txt

syft -o json=syft.json -o table conan.lock
grype sbom:syft.json

Anything else we need to know?: I generated this from an older version of the test package for zlib in the conan center index so I could provide the whole conan lockfile.

Environment:

• Output of grype version: Application: grype Version: 0.74.7 BuildDate: 2024-02-26T18:24:14Z GitCommit: 987238519b8d6e302130ab715f20daed6634da68 GitDescription: v0.74.7 Platform: linux/amd64 GoVersion: go1.21.7 Compiler: gc Syft Version: v0.105.1 Supported DB Schema: 5

• OS (e.g: cat /etc/os-release or similar): NAME="Rocky Linux" VERSION="9.3 (Blue Onyx)" ID="rocky" ID_LIKE="rhel centos fedora" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)" ANSI_COLOR="0;32" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:rocky:rocky:9::baseos" HOME_URL="https://rockylinux.org/" BUG_REPORT_URL="https://bugs.rockylinux.org/" SUPPORT_END="2032-05-31" ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9" ROCKY_SUPPORT_PRODUCT_VERSION="9.3" REDHAT_SUPPORT_PRODUCT="Rocky Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.3"

[tgerla]

Hi @d3matt, thanks for the report. Here are the vulnerabilities I get when I scan your SBOM:

tgerla@Timothys-MacBook-Pro-2 Downloads % grype sbom:syft.json
 ✔ Vulnerability DB                [updated]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 2 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 2 not-fixed, 0 ignored
NAME  INSTALLED  FIXED-IN  TYPE   VULNERABILITY   SEVERITY
zlib  1.2.12               conan  CVE-2023-45853  Critical
zlib  1.2.12               conan  CVE-2022-37434  Critical

As far as I can tell, neither of those vulnerabilities have any fixed-in information associated. CVE-2023-45853 lists 1.3 as vulnerable (https://nvd.nist.gov/vuln/detail/CVE-2023-45853). I seem to recall there was some controversy around this particular vulnerability, though -- the security problem is in a component called Minizip included in source package, so it's not actually zlib that's vulnerable. You may want to examine your environment and ignore this CVE via configuration if you are sure you're not vulnerable.

For the other CVE, I again don't see any fix version information in either the NVD (https://nvd.nist.gov/vuln/detail/CVE-2022-37434) or in GitHub's database (https://github.com/advisories/GHSA-cfmr-vrgj-vqwv). Are you seeing that these are considered fixed in 1.3 somewhere else? Thanks!

[d3matt]

Here's my lock file and syft.json which shows nothing:

conan.lock.zlib13.txt syft.json

[tgerla]

Hi @d3matt, that zlib13 lockfile has zlib 1.3.1, which is indeed not vulnerable. So, we've got: 1.2.12 which is vulnerable and reports CVEs, 1.3.0 which is vulnerable and reports CVEs, and 1.3.1 which is not vulnerable, and does not report any CVEs. I believe this is behaving correctly. Let me know if I'm missing something here!

[d3matt]

If there's correctly no CVEs in 1.3.1, shouldn't it say that the 1.2.12 CVEs are fixed in 1.3.1?

[tgerla]

Ideally, yes, but unfortunately the fix version data does not existing any of our upstream data sources, the NVD or the GHSA. We explored the idea of using CPE matching to infer fix version information in some cases, but it turned out to be an unreliable method. So until the NVD and/or GHSA updates to include complete fix version info, we will not have access to that information. Hope this helps!

[tgerla]

Let us know if you see any other weirdness! I know you've got https://github.com/anchore/grype/issues/1737 open too, that one is next on my list.