search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.17k stars 528 forks source link

@jridgewell/gen-mapping incorrectly attributed GHSA-8rmg-jf7p-4p22 #1886

Open ataraxus opened 1 month ago

ataraxus commented 1 month ago

What happened:

Our pipeline recently broke due to critical finding of GHSA-8rmg-jf7p-4p22

[root@d992b56c077e /]# grype --version
grype 0.77.4
[root@d992b56c077e /]# grype bom.json
 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]
   ├── by severity: 1 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 1 not-fixed, 0 ignored
[0000] ERROR failed to fetch latest version: Get "https://toolbox-data.anchore.io/grype/releases/latest/VERSION": tls: failed to verify certificate: x509: certificate has exp
NAME         INSTALLED  FIXED-IN  TYPE  VULNERABILITY        SEVERITY
gen-mapping  0.3.5                npm   GHSA-8rmg-jf7p-4p22  Critical

What you expected to happen:

The malicious package is: https://www.npmjs.com/package/gen-mapping which is a typesquatting attempt which got cought and squashed. The package in actual usage is: @jridgewell/gen-mapping. Which IMHO is also correctly stated in the provided BOM: 

 {
      "type": "library",
      "name": "gen-mapping",
      "group": "@jridgewell",
      "version": "0.3.5",
      "bom-ref": "@jridgewell/gen-mapping@0.3.5",
      "purl": "pkg:npm/%40jridgewell/gen-mapping@0.3.5",
...
}

How to reproduce it (as minimally and precisely as possible):

package.json 

{
  "name": "gen-mapping-test",
  "version": "1.0.0",
  "dependencies": {
    "@babel/core": "7.22.10"
  },
  "scripts": {},
  "author": "",
  "license": "ISC"
}
npm install 
npx -y @cyclonedx/cyclonedx-npm --omit dev --output-reproducible --output-file bom.json --package-lock-only
npx -y @cyclonedx/cyclonedx-npm --omit dev --short-PURLs --output-reproducible --output-file bom-short.json --package-lock-only

grype bom.json
grype bom-short.json

Anything else we need to know?:

I attached example boms, which trigger the issue.

Environment:

ataraxus commented 1 month ago

After looking at this issue: https://github.com/anchore/grype/issues/1701 it seems to be the same root cause. But i cant confirm for sure.

willmurphyscode commented 1 month ago

I think this is because Syft isn't decoding the Group field from CycloneDX JSON: https://github.com/anchore/syft/issues/1202

If Grype is pointed at an SBOM, even in CycloneDX format, where the component's name field contains "@jridgewell/gen-mapping" in the name, then Grype doesn't find this issue.

The path to a fix is probably to fix that Syft issue around the handling of the CycloneDX Group field. This issue is probably also the cause of #1701.