Possible FP - CVE-2019-10222 ceph in ec2 linux

[tomersein]

What happened: I am scanning ec2 with newest grype, and get the CVE-2019-10222 on ceph package. however, I did a little research and I think it might be a FP, since the vulnerability doesn't seem to be related to the kernel. In the SBOM I see the below information:

[      "artifact": {
        "id": "4c09ac4b6900071d",
        "name": "ceph",
        "version": "",
        "type": "linux-kernel-module",
        "locations": [
          {
            "path": "/modules/5.10.217-205.860.amzn2.aarch64/kernel/fs/ceph/ceph.ko"
          }
        ],
        "language": "",
        "licenses": [
          "GPL"
        ],
        "cpes": [
          "cpe:2.3:a:ceph:ceph:*:*:*:*:*:*:*:*"
        ],
        "purl": "pkg:generic/ceph",
        "upstreams": []
      }
    },](https://checkpoint.zoom.us/j/95513550573?pwd=epMql8VomdFJEyfhyibdqCv9huwllm.1)

In Grype I see:

ceph                              linux-kernel-module  CVE-2019-10222       High
ceph                              linux-kernel-module  CVE-2020-1700        Medium
ceph                              linux-kernel-module  CVE-2017-7519        Medium
ceph                              linux-kernel-module  CVE-2017-12155       Medium

and in json:

"matchDetails": [
        {
          "type": "cpe-match",
          "matcher": "stock-matcher",
          "searchedBy": {
            "namespace": "nvd:cpe",
            "cpes": [
              "cpe:2.3:a:ceph:ceph:*:*:*:*:*:*:*:*"
            ],
            "package": {
              "name": "ceph",
              "version": ""
            }
          },
          "found": {
            "vulnerabilityID": "CVE-2019-10222",
            "versionConstraint": "none (unknown)",
            "cpes": [
              "cpe:2.3:a:ceph:ceph:-:*:*:*:*:*:*:*"
            ]
          }
        }
      ],
      "artifact": {
        "id": "4c09ac4b6900071d",
        "name": "ceph",
        "version": "",
        "type": "linux-kernel-module",
        "locations": [
          {
            "path": "/modules/5.10.217-205.860.amzn2.aarch64/kernel/fs/ceph/ceph.ko"
          }
        ],
        "language": "",
        "licenses": [
          "GPL"
        ],
        "cpes": [
          "cpe:2.3:a:ceph:ceph:*:*:*:*:*:*:*:*"
        ],
        "purl": "pkg:generic/ceph",
        "upstreams": []
      }
    },

What you expected to happen: I think this CVE is not related to the kernel, maybe to the application. How to reproduce it (as minimally and precisely as possible):

• create an ec2 instanse
• scan with grype Anything else we need to know?: In general I don't understand exactly how this cataloger works, how it knows the difference between kernel package and application, does NVD contain any prefix of kernel? Environment:
• Output of grype version: 0.79.1
• OS (e.g: cat /etc/os-release or similar): linux arm (ec2)

[barnuri]

any ETA for this bug ? got the same issue

[Ghostbxz]

Having the same issue, is there any solution in the horizon?

[kzantow]

I left some notes on the Syft issue, but at least part of the problem is that the version is not included in the modinfo for this package (and many other kernel module packages).

I'm inclined to say the solution is to modify Grype such that packages with unknown versions are not matched by default, with an option to include them. I have a gut feeling that matching package vulnerabilities against packages with no versions would lead to more FPs than FNs, but don't have data to confirm this.

We have some other options such as excluding these packages altogether at the Syft level, but I think regardless of making that change, a generally useful behavior for Grype would be to omit these types of packages from vuln matching by default.

Thoughts?

[tomersein]

I think removing vulnerabilities of packages as a default behavior might be confusing. i have few ideas:

• use a custom flag which removes vulnerabilities found on packages without versions
• a flag in the json itself, which specifies the package is without version might be a FP

However, I would investigate why so many packages from the linux-kernel-moudle doesn't have version or even package name sometimes.

[willmurphyscode]

This might be fixed in https://github.com/anchore/grype/releases/tag/v0.80.2 by https://github.com/anchore/syft/pull/3257.

I don't have an example system handy with this kernel module. Is someone able to re-test and let us know whether this issue still affects grype version v0.80.2 and late?