search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.91k stars 575 forks source link

Unable to parse apk constraint phrase: failed to create comparator for '&{>= 1.0.2zk}' #2195

Closed bergernir closed 1 month ago

bergernir commented 1 month ago

What happened: Scans started to fail, with the next error message: "error creating a constraint: version: 1.1.1y error: unable to parse apk constraint phrase: failed to create comparator for '&{>= 1.0.2zk}': unable to parse constraint version (1.0.2zk): invalid version"

What you expected to happen: Scan should pass

Anything else we need to know?: It looks like it is the same bug you had before: https://github.com/anchore/grype/issues/2048

Environment:

bergernir commented 1 month ago

This exception happens on any package that contains the next CVE: "CVE-2024-5535".

willmurphyscode commented 1 month ago

Hi @bergernir thanks for the report!

I'm trying to investigate, and I haven't been able to trigger this error behavior. It looks like you're scanning a particular Alpine image with libssl or openssl installed? Can you share any more details that might help us reproduce the issue? For example, a link to a public image that exhibits the issue, or a snippet of Dockerfile that can be used to build an image that triggers the issue would be a big help. What version of Alpine? What version of OpenSSL? Even an alpine version and the apk add command that triggers this issue would probably be enough.

Also, I have a few questions that will help me understand and fix the bug:

  1. Does the issue happen on the latest version of grype 0.82.0 as of this writing?
  2. Does the issue still happen with today's vulnerability database (that is, after grype db update)?
  3. Are you running grype directly on an image?
  4. What version of alpine and openssl are present in the image?

You mentioned that this is the same issue as #2048, but the Dockerfile snippet from that image scans fine for me.

I'll keep investigating regardless, but a few more details would be a big help. Thanks!

bergernir commented 1 month ago

Hi @willmurphyscode, thanks for your assistance. Yesterday, we updated the Grype version from 0.80.2 to 0.82.1 and this error message has been stopped.

willmurphyscode commented 1 month ago

Thanks for letting us know!

de4Ru commented 4 weeks ago

Hello, I'm facing the same issue with grype 0.83.0 [0222] ERROR failed to inflate vulnerability record (by language): failed to parse constraint='>=1.7.0,<1.9.0ubuntu1.2' format='Python': unable to parse pep440 constrain phrase failed to create comparator for '&{< 1.9.0ubuntu1.2}': unable to parse

willmurphyscode commented 4 weeks ago

Hi @de4Ru - the issue you're facing is with Python packages, not APKs, so I made it it's own issue, #2229, but the error messages do look very similar. Thanks for the report! Please follow #2229 for updates.

tomersein commented 2 weeks ago

@willmurphyscode I think this is a good subject to discuss in the OSS weekly chat.. how to monitor bad values are not getting inside the DB and causes failures. maybe worth running a script which will check the version meeting the constraints of the versions.