vex documents from the --vex flag do get processed or applied to the output correctly

[willejs]

What happened:

When following the example here using the vex document specified, the vulnerability is rendered in the outputted report. This happens in any format.

vex.json

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/public/vex-d4e9020b6d0d26f131d535e055902dd6ccf3e2088bce3079a8cd3588a4b14c78",
  "author": "A Grype User <jdoe@example.com>",
  "timestamp": "2023-07-17T18:28:47.696004345-06:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2023-1255"
      },
      "products": [
        {
          "@id": "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126",
          "subcomponents": [
            { "@id": "pkg:apk/alpine/libssl3@3.0.8-r3" },
            { "@id": "pkg:apk/alpine/libcrypto3@3.0.8-r3" }
          ]
        }
      ],
      "status": "fixed"
    }
  ]
}

command

docker run -it -v $PWD/vex.json:/vex.json  anchore/grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 --vex /vex.json
 ✔ Vulnerability DB                [updated]  
 ✔ Parsed image                                         sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
 ✔ Cataloged contents                                          b5a5b7ce4eabc8414bf367761a28f4e8b16952ce5de537c15ed917b71b245f11
   ├── ✔ Packages                        [15 packages]  
   ├── ✔ File digests                    [78 files]  
   ├── ✔ File metadata                   [78 locations]  
   └── ✔ Executables                     [17 executables]  
 ✔ Scanned for vulnerabilities     [22 vulnerability matches]  
   ├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
   └── by status:   22 fixed, 0 not-fixed, 0 ignored 
NAME        INSTALLED  FIXED-IN   TYPE  VULNERABILITY  SEVERITY 
...
libcrypto3  3.0.8-r3   3.0.8-r4   apk   CVE-2023-1255  Medium  
...

vexctl filter works

1

What you expected to happen:

I do not expect the vulnerability to be reported. Maybe I am missing something here?

How to reproduce it (as minimally and precisely as possible): see above Anything else we need to know?:

Environment:

• Output of grype version: 0.77.1
• OS (e.g: cat /etc/os-release or similar): mac/linux - tested both

[tgerla]

Hi @willejs, thank you for the report, we've reproduced this issue on the latest Grype, 0.77.2:

Without vex (CVE-2023-1255 shows up):

tgerla@Timothys-MacBook-Pro-2 grype-1836 % grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126

 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                        sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
 ✔ Cataloged contents                                         b5a5b7ce4eabc8414bf367761a28f4e8b16952ce5de537c15ed917b71b245f11
   ├── ✔ Packages                        [15 packages]
   ├── ✔ File digests                    [78 files]
   ├── ✔ File metadata                   [78 locations]
   └── ✔ Executables                     [17 executables]
 ✔ Scanned for vulnerabilities     [22 vulnerability matches]
   ├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
   └── by status:   22 fixed, 0 not-fixed, 0 ignored
NAME        INSTALLED  FIXED-IN   TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.0.8-r3   3.0.12-r0  apk   CVE-2023-5363  High
libcrypto3  3.0.8-r3   3.0.12-r4  apk   CVE-2024-0727  Medium
libcrypto3  3.0.8-r3   3.0.12-r2  apk   CVE-2023-6129  Medium
libcrypto3  3.0.8-r3   3.0.12-r1  apk   CVE-2023-5678  Medium
libcrypto3  3.0.8-r3   3.0.10-r0  apk   CVE-2023-3817  Medium
libcrypto3  3.0.8-r3   3.0.9-r3   apk   CVE-2023-3446  Medium
libcrypto3  3.0.8-r3   3.0.9-r2   apk   CVE-2023-2975  Medium
libcrypto3  3.0.8-r3   3.0.9-r0   apk   CVE-2023-2650  Medium
libcrypto3  3.0.8-r3   3.0.8-r4   apk   CVE-2023-1255  Medium
libcrypto3  3.0.8-r3   3.0.12-r5  apk   CVE-2024-2511  Unknown
libcrypto3  3.0.8-r3   3.0.12-r3  apk   CVE-2023-6237  Unknown
libssl3     3.0.8-r3   3.0.12-r0  apk   CVE-2023-5363  High
libssl3     3.0.8-r3   3.0.12-r4  apk   CVE-2024-0727  Medium
libssl3     3.0.8-r3   3.0.12-r2  apk   CVE-2023-6129  Medium
libssl3     3.0.8-r3   3.0.12-r1  apk   CVE-2023-5678  Medium
libssl3     3.0.8-r3   3.0.10-r0  apk   CVE-2023-3817  Medium
libssl3     3.0.8-r3   3.0.9-r3   apk   CVE-2023-3446  Medium
libssl3     3.0.8-r3   3.0.9-r2   apk   CVE-2023-2975  Medium
libssl3     3.0.8-r3   3.0.9-r0   apk   CVE-2023-2650  Medium
libssl3     3.0.8-r3   3.0.8-r4   apk   CVE-2023-1255  Medium
libssl3     3.0.8-r3   3.0.12-r5  apk   CVE-2024-2511  Unknown
libssl3     3.0.8-r3   3.0.12-r3  apk   CVE-2023-6237  Unknown

With vex (CVE-2023-1255 shows up):

tgerla@Timothys-MacBook-Pro-2 grype-1836 % grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
--vex vex.json
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                        sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
 ✔ Cataloged contents                                         b5a5b7ce4eabc8414bf367761a28f4e8b16952ce5de537c15ed917b71b245f11
   ├── ✔ Packages                        [15 packages]
   ├── ✔ File digests                    [78 files]
   ├── ✔ File metadata                   [78 locations]
   └── ✔ Executables                     [17 executables]
 ✔ Scanned for vulnerabilities     [22 vulnerability matches]
   ├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
   └── by status:   22 fixed, 0 not-fixed, 0 ignored
NAME        INSTALLED  FIXED-IN   TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.0.8-r3   3.0.12-r0  apk   CVE-2023-5363  High
libcrypto3  3.0.8-r3   3.0.12-r4  apk   CVE-2024-0727  Medium
libcrypto3  3.0.8-r3   3.0.12-r2  apk   CVE-2023-6129  Medium
libcrypto3  3.0.8-r3   3.0.12-r1  apk   CVE-2023-5678  Medium
libcrypto3  3.0.8-r3   3.0.10-r0  apk   CVE-2023-3817  Medium
libcrypto3  3.0.8-r3   3.0.9-r3   apk   CVE-2023-3446  Medium
libcrypto3  3.0.8-r3   3.0.9-r2   apk   CVE-2023-2975  Medium
libcrypto3  3.0.8-r3   3.0.9-r0   apk   CVE-2023-2650  Medium
libcrypto3  3.0.8-r3   3.0.8-r4   apk   CVE-2023-1255  Medium
libcrypto3  3.0.8-r3   3.0.12-r5  apk   CVE-2024-2511  Unknown
libcrypto3  3.0.8-r3   3.0.12-r3  apk   CVE-2023-6237  Unknown
libssl3     3.0.8-r3   3.0.12-r0  apk   CVE-2023-5363  High
libssl3     3.0.8-r3   3.0.12-r4  apk   CVE-2024-0727  Medium
libssl3     3.0.8-r3   3.0.12-r2  apk   CVE-2023-6129  Medium
libssl3     3.0.8-r3   3.0.12-r1  apk   CVE-2023-5678  Medium
libssl3     3.0.8-r3   3.0.10-r0  apk   CVE-2023-3817  Medium
libssl3     3.0.8-r3   3.0.9-r3   apk   CVE-2023-3446  Medium
libssl3     3.0.8-r3   3.0.9-r2   apk   CVE-2023-2975  Medium
libssl3     3.0.8-r3   3.0.9-r0   apk   CVE-2023-2650  Medium
libssl3     3.0.8-r3   3.0.8-r4   apk   CVE-2023-1255  Medium
libssl3     3.0.8-r3   3.0.12-r5  apk   CVE-2024-2511  Unknown
libssl3     3.0.8-r3   3.0.12-r3  apk   CVE-2023-6237  Unknown
tgerla@Timothys-MacBook-Pro-2 grype-1836 %

On Grype 0.74.7, the CVE was filtered out as expected. We will take a look and see where the regression occurred. Thanks again!

[szh]

I'm trying to use the VEX feature and it's not working even with version 0.74.7 and 0.74.3...

[szh]

Never mind, it seems that the issue I'm having is due to a matching issue. I'll work on a fix and submit a PR soon.

[willejs-ec]

@tgerla thanks for investigating this and the swift reply! We are contemplating fixing this, but we were made aware of some other bugs around the format of the PURL, and also there are a couple of big PRs with large refactors waiting to be merged over here changing the implementation of vex support. Is there some wider context we are missing here and have you guys got some plans to overhaul the vex implimentation/support? If so we will hold off for a bit!

We were looking at a commercial offering, but we have fallen at the first hurdle with vex support...

[slashben]

I was investigating why Grype stopped processing VEX documents generated by Kubescape. It boiled down to this line of code: https://github.com/anchore/grype/blob/368fd73fc238492ecfe17eaee3b491cd89faf88c/grype/vex/openvex/implementation.go#L166 Based on my investigation, there are two problems here.

• Matcher uses index.docker.io as the registry name and the VEX document contains docker.io for the same field, therefore the comparison fails.
• The second problem is Kubescape uses standard URL encoding protocol in the pURL where according the the RFC one should encode the special characters in the query parameter contents. I suggest that either Grype or go-vex do a URL decode operation.

[szh]

@puerco great keynote this morning BTW 😀 Go OpenVEX!