Open willejs opened 2 months ago
Hi @willejs, thank you for the report, we've reproduced this issue on the latest Grype, 0.77.2:
Without vex (CVE-2023-1255 shows up):
tgerla@Timothys-MacBook-Pro-2 grype-1836 % grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
✔ Vulnerability DB [no update available]
✔ Parsed image sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
✔ Cataloged contents b5a5b7ce4eabc8414bf367761a28f4e8b16952ce5de537c15ed917b71b245f11
├── ✔ Packages [15 packages]
├── ✔ File digests [78 files]
├── ✔ File metadata [78 locations]
└── ✔ Executables [17 executables]
✔ Scanned for vulnerabilities [22 vulnerability matches]
├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
└── by status: 22 fixed, 0 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.0.8-r3 3.0.12-r0 apk CVE-2023-5363 High
libcrypto3 3.0.8-r3 3.0.12-r4 apk CVE-2024-0727 Medium
libcrypto3 3.0.8-r3 3.0.12-r2 apk CVE-2023-6129 Medium
libcrypto3 3.0.8-r3 3.0.12-r1 apk CVE-2023-5678 Medium
libcrypto3 3.0.8-r3 3.0.10-r0 apk CVE-2023-3817 Medium
libcrypto3 3.0.8-r3 3.0.9-r3 apk CVE-2023-3446 Medium
libcrypto3 3.0.8-r3 3.0.9-r2 apk CVE-2023-2975 Medium
libcrypto3 3.0.8-r3 3.0.9-r0 apk CVE-2023-2650 Medium
libcrypto3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium
libcrypto3 3.0.8-r3 3.0.12-r5 apk CVE-2024-2511 Unknown
libcrypto3 3.0.8-r3 3.0.12-r3 apk CVE-2023-6237 Unknown
libssl3 3.0.8-r3 3.0.12-r0 apk CVE-2023-5363 High
libssl3 3.0.8-r3 3.0.12-r4 apk CVE-2024-0727 Medium
libssl3 3.0.8-r3 3.0.12-r2 apk CVE-2023-6129 Medium
libssl3 3.0.8-r3 3.0.12-r1 apk CVE-2023-5678 Medium
libssl3 3.0.8-r3 3.0.10-r0 apk CVE-2023-3817 Medium
libssl3 3.0.8-r3 3.0.9-r3 apk CVE-2023-3446 Medium
libssl3 3.0.8-r3 3.0.9-r2 apk CVE-2023-2975 Medium
libssl3 3.0.8-r3 3.0.9-r0 apk CVE-2023-2650 Medium
libssl3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium
libssl3 3.0.8-r3 3.0.12-r5 apk CVE-2024-2511 Unknown
libssl3 3.0.8-r3 3.0.12-r3 apk CVE-2023-6237 Unknown
With vex (CVE-2023-1255 shows up):
tgerla@Timothys-MacBook-Pro-2 grype-1836 % grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
--vex vex.json
✔ Vulnerability DB [no update available]
✔ Parsed image sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
✔ Cataloged contents b5a5b7ce4eabc8414bf367761a28f4e8b16952ce5de537c15ed917b71b245f11
├── ✔ Packages [15 packages]
├── ✔ File digests [78 files]
├── ✔ File metadata [78 locations]
└── ✔ Executables [17 executables]
✔ Scanned for vulnerabilities [22 vulnerability matches]
├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
└── by status: 22 fixed, 0 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.0.8-r3 3.0.12-r0 apk CVE-2023-5363 High
libcrypto3 3.0.8-r3 3.0.12-r4 apk CVE-2024-0727 Medium
libcrypto3 3.0.8-r3 3.0.12-r2 apk CVE-2023-6129 Medium
libcrypto3 3.0.8-r3 3.0.12-r1 apk CVE-2023-5678 Medium
libcrypto3 3.0.8-r3 3.0.10-r0 apk CVE-2023-3817 Medium
libcrypto3 3.0.8-r3 3.0.9-r3 apk CVE-2023-3446 Medium
libcrypto3 3.0.8-r3 3.0.9-r2 apk CVE-2023-2975 Medium
libcrypto3 3.0.8-r3 3.0.9-r0 apk CVE-2023-2650 Medium
libcrypto3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium
libcrypto3 3.0.8-r3 3.0.12-r5 apk CVE-2024-2511 Unknown
libcrypto3 3.0.8-r3 3.0.12-r3 apk CVE-2023-6237 Unknown
libssl3 3.0.8-r3 3.0.12-r0 apk CVE-2023-5363 High
libssl3 3.0.8-r3 3.0.12-r4 apk CVE-2024-0727 Medium
libssl3 3.0.8-r3 3.0.12-r2 apk CVE-2023-6129 Medium
libssl3 3.0.8-r3 3.0.12-r1 apk CVE-2023-5678 Medium
libssl3 3.0.8-r3 3.0.10-r0 apk CVE-2023-3817 Medium
libssl3 3.0.8-r3 3.0.9-r3 apk CVE-2023-3446 Medium
libssl3 3.0.8-r3 3.0.9-r2 apk CVE-2023-2975 Medium
libssl3 3.0.8-r3 3.0.9-r0 apk CVE-2023-2650 Medium
libssl3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium
libssl3 3.0.8-r3 3.0.12-r5 apk CVE-2024-2511 Unknown
libssl3 3.0.8-r3 3.0.12-r3 apk CVE-2023-6237 Unknown
tgerla@Timothys-MacBook-Pro-2 grype-1836 %
On Grype 0.74.7, the CVE was filtered out as expected. We will take a look and see where the regression occurred. Thanks again!
I'm trying to use the VEX feature and it's not working even with version 0.74.7 and 0.74.3...
Never mind, it seems that the issue I'm having is due to a matching issue. I'll work on a fix and submit a PR soon.
@tgerla thanks for investigating this and the swift reply! We are contemplating fixing this, but we were made aware of some other bugs around the format of the PURL, and also there are a couple of big PRs with large refactors waiting to be merged over here changing the implementation of vex support. Is there some wider context we are missing here and have you guys got some plans to overhaul the vex implimentation/support? If so we will hold off for a bit!
We were looking at a commercial offering, but we have fallen at the first hurdle with vex support...
I was investigating why Grype stopped processing VEX documents generated by Kubescape. It boiled down to this line of code: https://github.com/anchore/grype/blob/368fd73fc238492ecfe17eaee3b491cd89faf88c/grype/vex/openvex/implementation.go#L166 Based on my investigation, there are two problems here.
index.docker.io
as the registry name and the VEX document contains docker.io
for the same field, therefore the comparison fails.@puerco great keynote this morning BTW 😀 Go OpenVEX!
What happened:
When following the example here using the vex document specified, the vulnerability is rendered in the outputted report. This happens in any format.
vex.json
command
vexctl filter works
What you expected to happen:
I do not expect the vulnerability to be reported. Maybe I am missing something here?
How to reproduce it (as minimally and precisely as possible): see above Anything else we need to know?:
Environment:
grype version
: 0.77.1cat /etc/os-release
or similar): mac/linux - tested both