search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.7k stars 569 forks source link

Missing alpine patch version yields inaccurate results #2222

Closed wagoodman closed 1 day ago

wagoodman commented 2 days ago

What happened: I'm seeing that when providing your own package details and alpine distro version details independent of an image, the distro patch version being left off may result in incorrect results:

❯ echo "pkg:apk/openssh@9.6_p1-r1" |  grype purl:/dev/stdin --distro 'alpine:3.19.4' -q
No vulnerabilities found

❯ echo "pkg:apk/openssh@9.6_p1-r1" |  grype purl:/dev/stdin --distro 'alpine:3.19' -q
NAME     INSTALLED  FIXED-IN   TYPE  VULNERABILITY  SEVERITY
openssh  9.6_p1-r1  9.8_p1-r0  apk   CVE-2024-6387  High

Please take note the vuln info for this record:

❯ sqlite3 --header --column /Users/wagoodman/Library/Caches/grype/db/5/vulnerability.db 'select id,package_name,namespace,version_format,version_constraint,fixed_in_versions from vulnerability where namespace like "%alpine%" and id == "CVE-2024-6387"'

id             package_name  namespace                  version_format  version_constraint  fixed_in_versions
-------------  ------------  -------------------------  --------------  ------------------  -----------------
CVE-2024-6387  openssh       alpine:distro:alpine:3.17  apk             < 9.1_p1-r6         ["9.1_p1-r6"]
CVE-2024-6387  openssh       alpine:distro:alpine:3.18  apk             < 9.3_p2-r2         ["9.3_p2-r2"]
CVE-2024-6387  openssh       alpine:distro:alpine:3.19  apk             < 9.6_p1-r1         ["9.6_p1-r1"]
CVE-2024-6387  openssh       alpine:distro:alpine:3.20  apk             < 9.7_p1-r4         ["9.7_p1-r4"]
CVE-2024-6387  openssh       alpine:distro:alpine:edge  apk             < 9.8_p1-r0         ["9.8_p1-r0"]

The results with --distro 'alpine:3.19.4' is correct/expected: this is a valid secdb entry that should prune the NVD match from results entirely.

What appears to be happening is that when the patch version is not specified this is using the alpine:distro:alpine:edge namespace to search against instead of alpine:distro:alpine:3.19 which has a different package fix version entirely (thus won't be pruned).

What you expected to happen: Using grype with this purl with both --distro 'alpine:3.19.4' and --distro 'alpine:3.19' should have the same result: CVE-2024-6387 should be absent from the results.