Open ataraxus opened 1 month ago
After looking at this issue: https://github.com/anchore/grype/issues/1701 it seems to be the same root cause. But i cant confirm for sure.
I think this is because Syft isn't decoding the Group field from CycloneDX JSON: https://github.com/anchore/syft/issues/1202
If Grype is pointed at an SBOM, even in CycloneDX format, where the component's name field contains "@jridgewell/gen-mapping"
in the name, then Grype doesn't find this issue.
The path to a fix is probably to fix that Syft issue around the handling of the CycloneDX Group field. This issue is probably also the cause of #1701.
What happened:
Our pipeline recently broke due to critical finding of GHSA-8rmg-jf7p-4p22
What you expected to happen:
The malicious package is: https://www.npmjs.com/package/gen-mapping which is a typesquatting attempt which got cought and squashed. The package in actual usage is: @jridgewell/gen-mapping. Which IMHO is also correctly stated in the provided BOM:
How to reproduce it (as minimally and precisely as possible):
package.json
Anything else we need to know?:
I attached example boms, which trigger the issue.
Environment:
grype version
:cat /etc/os-release
or similar):