False negatives in finding CVEs in jar files

[wagde-orca]

What happened: I ran grype on a directory with jar files and it miss several CVEs for example nexus-main.jar version 3.0.0-03

What you expected to happen: I expected to see: "CVE-2019-7238", "CVE-2020-10199", "CVE-2020-10203", "CVE-2020-10204", "CVE-2020-11444" in nexus-main-3.0.0-03.jar. But grype did not catch any of them

How to reproduce it (as minimally and precisely as possible):

wget http://download.sonatype.com/nexus/3/nexus-3.0.0-03-unix.tar.gz -P nexus
cd nexus
tar -zxvf nexus-3.0.0-03-unix.tar.gz
grype "dir:nexus-3.0.0-03/lib/boot"

Anything else we need to know?: I saw other FPs/FNs in java... i can supply more examples

Environment:

• Output of grype version:
• OS (e.g: cat /etc/os-release or similar): grype version Application: grype Version: 0.4.0 BuildDate: 2020-11-12T15:17:25Z GitCommit: a494df7be45c08f33decd227ef2bc19f210017a5 GitTreeState: clean Platform: darwin/amd64 GoVersion: go1.14.11 Compiler: gc Supported DB Schema: 1

[wagoodman]

This is great info --thanks for reporting. From what I can tell so far from an initial look it seems that the groupID and artifactID aren't quite enough to directly match against the upstream sources (e.g. org.sonatype.nexus:nexus-components vs org.sonatype.nexus:nexus-core for GHSA... for NVD a CPE match of cpe:2.3:a:sonatype:nexus:*:*:*:*:*:*:*:* would be needed, but the vendor wasn't pulled out to be exactly sonatype but instead org.sonatype.nexus).

I think we can do more processing on the groupID to try out multiple vendor values (say, take the field just after org wichi splitting on .).

This is also starting to feel like the same conclusion reached in #192 , where fuzzy matching combined some confidence value would be ideal (see comment).

[wagoodman]

@wagde-orca the package and vendor sourcing from the POM groupID enhancement has been released under https://github.com/anchore/grype/releases/tag/v0.6.0

[wagde-orca]

cool Thanx I will check it in few days