question: Why are CVEs being ignored?

samcornwell commented 2 weeks ago

I have found that some images are showing the majority of vulnerabilities as ignored. Specifically, if run with the -v flag, it says that they are ignored due to user-provided ignore rules. I have no configuration files and am passing no rules on the command line. Why is this happening?

scan:

user@machine:~$ grype docker:test -v
[0000]  INFO grype version: 0.84.0
[0005]  INFO task completed elapsed=1.122875ms task=environment-cataloger
[0005]  INFO task completed elapsed=422.333µs task=alpm-db-cataloger
[0005]  INFO task completed elapsed=58.5µs task=apk-db-cataloger
[0006]  INFO task completed elapsed=630.927875ms task=dpkg-db-cataloger
[0006]  INFO task completed elapsed=82.833µs task=portage-cataloger
[0006]  INFO task completed elapsed=51.25µs task=rpm-db-cataloger
[0006]  INFO task completed elapsed=32.666µs task=conan-info-cataloger
[0006]  INFO task completed elapsed=22.916µs task=javascript-package-cataloger
[0006]  INFO task completed elapsed=21.208µs task=php-composer-installed-cataloger
[0006]  INFO task completed elapsed=24.625µs task=r-package-cataloger
[0006]  INFO task completed elapsed=29.958µs task=ruby-installed-gemspec-cataloger
[0006]  INFO task completed elapsed=128.62ms task=cargo-auditable-binary-cataloger
[0006]  INFO task completed elapsed=66.542µs task=php-pecl-serialized-cataloger
[0006]  INFO task completed elapsed=29.667µs task=dotnet-portable-executable-cataloger
[0006]  INFO task completed elapsed=1.138125ms task=python-installed-package-cataloger
[0006]  INFO task completed elapsed=104.547625ms task=go-module-binary-cataloger
[0006]  INFO task completed elapsed=160.709µs task=java-archive-cataloger
[0006]  INFO task completed elapsed=37.754958ms task=graalvm-native-image-cataloger
[0006]  INFO task completed elapsed=9.480083ms task=nix-store-cataloger
[0006]  INFO task completed elapsed=71.625µs task=lua-rock-cataloger
[0006]  INFO task completed elapsed=189.378667ms task=binary-classifier-cataloger
[0006]  INFO task completed elapsed=34.384833ms task=elf-binary-package-cataloger
[0006]  INFO task completed elapsed=60.5µs task=java-jvm-cataloger
[0006]  INFO task completed elapsed=8.311541ms task=linux-kernel-cataloger
[0006]  INFO task completed elapsed=4.905917ms task=wordpress-plugins-cataloger
[0007]  INFO task completed elapsed=680.804001ms task=file-digest-cataloger
[0007]  INFO task completed elapsed=40.089ms task=file-metadata-cataloger
[0007]  INFO task completed elapsed=177.671208ms task=file-executable-cataloger
[0008]  INFO task completed elapsed=181.30825ms task=relationships-cataloger
[0008]  INFO task completed elapsed=41.414166ms task=unknowns-labeler
[0008]  INFO ignoring 819 matches due to user-provided ignore rules
[0008]  INFO found 903 vulnerability matches across 247 packages
[0008]  INFO ignored 819 vulnerability matches
NAME                       INSTALLED                   FIXED-IN  TYPE  VULNERABILITY   SEVERITY   
binutils                   2.42-4ubuntu2.3                       deb   CVE-2017-13716  Low         
binutils                   2.42-4ubuntu2.3                       deb   CVE-2018-20657  Negligible  
binutils-common            2.42-4ubuntu2.3                       deb   CVE-2017-13716  Low         
binutils-common            2.42-4ubuntu2.3                       deb   CVE-2018-20657  Negligible  
binutils-x86-64-linux-gnu  2.42-4ubuntu2.3                       deb   CVE-2017-13716  Low         
binutils-x86-64-linux-gnu  2.42-4ubuntu2.3                       deb   CVE-2018-20657  Negligible  
coreutils                  9.4-3ubuntu6                          deb   CVE-2016-2781   Low         
dirmngr                    2.4.4-2ubuntu17                       deb   CVE-2022-3219   Low         
gnupg                      2.4.4-2ubuntu17                       deb   CVE-2022-3219   Low         
gnupg-l10n                 2.4.4-2ubuntu17                       deb   CVE-2022-3219   Low         
gnupg-utils                2.4.4-2ubuntu17                       deb   CVE-2022-3219   Low         
gpg                        2.4.4-2ubuntu17                       deb   CVE-2022-3219   Low         
gpg-agent                  2.4.4-2ubuntu17                       deb   CVE-2022-3219   Low         
gpg-wks-client             2.4.4-2ubuntu17                       deb   CVE-2022-3219   Low         
gpgconf                    2.4.4-2ubuntu17                       deb   CVE-2022-3219   Low         
gpgsm                      2.4.4-2ubuntu17                       deb   CVE-2022-3219   Low         
gpgv                       2.4.4-2ubuntu17                       deb   CVE-2022-3219   Low         
keyboxd                    2.4.4-2ubuntu17                       deb   CVE-2022-3219   Low         
krb5-locales               1.20.1-6ubuntu2.1                     deb   CVE-2024-26462  Medium      
krb5-locales               1.20.1-6ubuntu2.1                     deb   CVE-2024-26461  Low         
krb5-locales               1.20.1-6ubuntu2.1                     deb   CVE-2024-26458  Negligible  
libbinutils                2.42-4ubuntu2.3                       deb   CVE-2017-13716  Low         
libbinutils                2.42-4ubuntu2.3                       deb   CVE-2018-20657  Negligible  
libc-bin                   2.39-0ubuntu8.3                       deb   CVE-2016-20013  Negligible  
libc-dev-bin               2.39-0ubuntu8.3                       deb   CVE-2016-20013  Negligible  
libc-devtools              2.39-0ubuntu8.3                       deb   CVE-2016-20013  Negligible  
libc6                      2.39-0ubuntu8.3                       deb   CVE-2016-20013  Negligible  
libc6-dev                  2.39-0ubuntu8.3                       deb   CVE-2016-20013  Negligible  
libctf-nobfd0              2.42-4ubuntu2.3                       deb   CVE-2017-13716  Low         
libctf-nobfd0              2.42-4ubuntu2.3                       deb   CVE-2018-20657  Negligible  
libctf0                    2.42-4ubuntu2.3                       deb   CVE-2017-13716  Low         
libctf0                    2.42-4ubuntu2.3                       deb   CVE-2018-20657  Negligible  
libde265-0                 1.0.15-1build3                        deb   CVE-2024-38950  Medium      
libde265-0                 1.0.15-1build3                        deb   CVE-2024-38949  Medium      
libexpat1                  2.6.1-2ubuntu0.1                      deb   CVE-2024-50602  Medium      
libexpat1-dev              2.6.1-2ubuntu0.1                      deb   CVE-2024-50602  Medium      
libgcrypt20                1.10.3-2build1                        deb   CVE-2024-2236   Medium      
libgprofng0                2.42-4ubuntu2.3                       deb   CVE-2017-13716  Low         
libgprofng0                2.42-4ubuntu2.3                       deb   CVE-2018-20657  Negligible  
libgssapi-krb5-2           1.20.1-6ubuntu2.1                     deb   CVE-2024-26462  Medium      
libgssapi-krb5-2           1.20.1-6ubuntu2.1                     deb   CVE-2024-26461  Low         
libgssapi-krb5-2           1.20.1-6ubuntu2.1                     deb   CVE-2024-26458  Negligible  
libheif-plugin-aomdec      1.17.6-1ubuntu4.1                     deb   CVE-2024-25269  Negligible  
libheif-plugin-aomenc      1.17.6-1ubuntu4.1                     deb   CVE-2024-25269  Negligible  
libheif-plugin-libde265    1.17.6-1ubuntu4.1                     deb   CVE-2024-25269  Negligible  
libheif1                   1.17.6-1ubuntu4.1                     deb   CVE-2024-25269  Negligible  
libjpeg-turbo8             2.1.5-2ubuntu2                        deb   CVE-2018-10126  Low         
libk5crypto3               1.20.1-6ubuntu2.1                     deb   CVE-2024-26462  Medium      
libk5crypto3               1.20.1-6ubuntu2.1                     deb   CVE-2024-26461  Low         
libk5crypto3               1.20.1-6ubuntu2.1                     deb   CVE-2024-26458  Negligible  
libkrb5-3                  1.20.1-6ubuntu2.1                     deb   CVE-2024-26462  Medium      
libkrb5-3                  1.20.1-6ubuntu2.1                     deb   CVE-2024-26461  Low         
libkrb5-3                  1.20.1-6ubuntu2.1                     deb   CVE-2024-26458  Negligible  
libkrb5support0            1.20.1-6ubuntu2.1                     deb   CVE-2024-26462  Medium      
libkrb5support0            1.20.1-6ubuntu2.1                     deb   CVE-2024-26461  Low         
libkrb5support0            1.20.1-6ubuntu2.1                     deb   CVE-2024-26458  Negligible  
libpam-modules             1.5.3-5ubuntu5.1                      deb   CVE-2024-10041  Medium      
libpam-modules-bin         1.5.3-5ubuntu5.1                      deb   CVE-2024-10041  Medium      
libpam-runtime             1.5.3-5ubuntu5.1                      deb   CVE-2024-10041  Medium      
libpam0g                   1.5.3-5ubuntu5.1                      deb   CVE-2024-10041  Medium      
libpng16-16t64             1.6.43-5build1                        deb   CVE-2022-3857   Low         
libpython3.12-dev          3.12.3-1ubuntu0.2                     deb   CVE-2024-9287   Medium      
libpython3.12-minimal      3.12.3-1ubuntu0.2                     deb   CVE-2024-9287   Medium      
libpython3.12-stdlib       3.12.3-1ubuntu0.2                     deb   CVE-2024-9287   Medium      
libpython3.12t64           3.12.3-1ubuntu0.2                     deb   CVE-2024-9287   Medium      
libsframe1                 2.42-4ubuntu2.3                       deb   CVE-2017-13716  Low         
libsframe1                 2.42-4ubuntu2.3                       deb   CVE-2018-20657  Negligible  
libssl3t64                 3.0.13-0ubuntu3.4                     deb   CVE-2024-9143   Low         
libssl3t64                 3.0.13-0ubuntu3.4                     deb   CVE-2024-41996  Low         
libtiff6                   4.5.1+git230720-4ubuntu2.2            deb   CVE-2024-6716   Low         
openssl                    3.0.13-0ubuntu3.4                     deb   CVE-2024-9143   Low         
openssl                    3.0.13-0ubuntu3.4                     deb   CVE-2024-41996  Low         
patch                      2.7.6-7build3                         deb   CVE-2021-45261  Negligible  
patch                      2.7.6-7build3                         deb   CVE-2019-20633  Negligible  
patch                      2.7.6-7build3                         deb   CVE-2018-6952   Negligible  
python3-pip                24.0+dfsg-1ubuntu1.1                  deb   CVE-2024-3651   Medium      
python3-pip                24.0+dfsg-1ubuntu1.1                  deb   CVE-2024-35195  Medium      
python3-pip                24.0+dfsg-1ubuntu1.1                  deb   CVE-2023-5752   Medium      
python3-pip                24.0+dfsg-1ubuntu1.1                  deb   CVE-2023-45803  Medium      
python3-pip                24.0+dfsg-1ubuntu1.1                  deb   CVE-2023-43804  Medium      
python3-pip                24.0+dfsg-1ubuntu1.1                  deb   CVE-2018-25091  Medium      
python3.12                 3.12.3-1ubuntu0.2                     deb   CVE-2024-9287   Medium      
python3.12-dev             3.12.3-1ubuntu0.2                     deb   CVE-2024-9287   Medium      
python3.12-minimal         3.12.3-1ubuntu0.2                     deb   CVE-2024-9287   Medium

config:

user@machine:~$ grype config
log:
  # suppress all logging output (env: GRYPE_LOG_QUIET)
  quiet: false

  # increase verbosity (-v = info, -vv = debug) (env: GRYPE_LOG_VERBOSITY)
  verbosity: 0

  # explicitly set the logging level (available: [error warn info debug trace]) (env: GRYPE_LOG_LEVEL)
  level: 'warn'

  # file path to write logs to (env: GRYPE_LOG_FILE)
  file: ''

dev:
  # capture resource profiling data (available: [cpu, mem]) (env: GRYPE_DEV_PROFILE)
  profile: ''

# the output format of the vulnerability report (options: table, template, json, cyclonedx)
# when using template as the output type, you must also provide a value for 'output-template-file' (env: GRYPE_OUTPUT)
output: []

# if using template output, you must provide a path to a Go template file
# see https://github.com/anchore/grype#using-templates for more information on template output
# the default path to the template file is the current working directory
# output-template-file: .grype/html.tmpl
#
# write output report to a file (default is to write to stdout) (env: GRYPE_FILE)
file: ''

# distro to match against in the format: <distro>:<version> (env: GRYPE_DISTRO)
distro: ''

# generate CPEs for packages with no CPE data (env: GRYPE_ADD_CPES_IF_NONE)
add-cpes-if-none: false

# specify the path to a Go template file (requires 'template' output to be selected) (env: GRYPE_OUTPUT_TEMPLATE_FILE)
output-template-file: ''

# enable/disable checking for application updates on startup (env: GRYPE_CHECK_FOR_APP_UPDATE)
check-for-app-update: true

# ignore matches for vulnerabilities that are not fixed (env: GRYPE_ONLY_FIXED)
only-fixed: false

# ignore matches for vulnerabilities that are fixed (env: GRYPE_ONLY_NOTFIXED)
only-notfixed: false

# ignore matches for vulnerabilities with specified comma separated fix states, options=[fixed not-fixed unknown wont-fix] (env: GRYPE_IGNORE_WONTFIX)
ignore-wontfix: ''

# an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux') (env: GRYPE_PLATFORM)
platform: ''

search:
  # selection of layers to analyze, options=[squashed all-layers] (env: GRYPE_SEARCH_SCOPE)
  scope: 'squashed'

  # search within archives that do contain a file index to search against (zip)
  # note: for now this only applies to the java package cataloger (env: GRYPE_SEARCH_UNINDEXED_ARCHIVES)
  unindexed-archives: false

  # search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
  # note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
  # note: for now this only applies to the java package cataloger (env: GRYPE_SEARCH_INDEXED_ARCHIVES)
  indexed-archives: true

# A list of vulnerability ignore rules, one or more property may be specified and all matching vulnerabilities will be ignored.
# This is the full set of supported rule fields:
#   - vulnerability: CVE-2008-4318
#     fix-state: unknown
#     package:
#       name: libcurl
#       version: 1.5.1
#       type: npm
#       location: "/usr/local/lib/node_modules/**"
#
# VEX fields apply when Grype reads vex data:
#   - vex-status: not_affected
#     vex-justification: vulnerable_code_not_present
ignore: []

# a list of globs to exclude from scanning, for example:
#   - '/etc/**'
#   - './out/**/*.json'
# same as --exclude (env: GRYPE_EXCLUDE)
exclude: []

db:
  # location to write the vulnerability database cache (env: GRYPE_DB_CACHE_DIR)
  cache-dir: '~/.cache/grype/db'

  # URL of the vulnerability database (env: GRYPE_DB_UPDATE_URL)
  update-url: 'https://toolbox-data.anchore.io/grype/databases/listing.json'

  # certificate to trust download the database and listing file (env: GRYPE_DB_CA_CERT)
  ca-cert: ''

  # check for database updates on execution (env: GRYPE_DB_AUTO_UPDATE)
  auto-update: true

  # validate the database matches the known hash each execution (env: GRYPE_DB_VALIDATE_BY_HASH_ON_START)
  validate-by-hash-on-start: false

  # ensure db build is no older than the max-allowed-built-age (env: GRYPE_DB_VALIDATE_AGE)
  validate-age: true

  # Max allowed age for vulnerability database,
  # age being the time since it was built
  # Default max age is 120h (or five days) (env: GRYPE_DB_MAX_ALLOWED_BUILT_AGE)
  max-allowed-built-age: 120h0m0s

  # fail the scan if unable to check for database updates (env: GRYPE_DB_REQUIRE_UPDATE_CHECK)
  require-update-check: false

  # Timeout for downloading GRYPE_DB_UPDATE_URL to see if the database needs to be downloaded
  # This file is ~156KiB as of 2024-04-17 so the download should be quick; adjust as needed (env: GRYPE_DB_UPDATE_AVAILABLE_TIMEOUT)
  update-available-timeout: 30s

  # Timeout for downloading actual vulnerability DB
  # The DB is ~156MB as of 2024-04-17 so slower connections may exceed the default timeout; adjust as needed (env: GRYPE_DB_UPDATE_DOWNLOAD_TIMEOUT)
  update-download-timeout: 5m0s

  # Maximum frequency to check for vulnerability database updates (env: GRYPE_DB_MAX_UPDATE_CHECK_FREQUENCY)
  max-update-check-frequency: 2h0m0s

external-sources:
  # enable Grype searching network source for additional information (env: GRYPE_EXTERNAL_SOURCES_ENABLE)
  enable: false

  maven:
    # search for Maven artifacts by SHA1 (env: GRYPE_EXTERNAL_SOURCES_MAVEN_SEARCH_MAVEN_UPSTREAM)
    search-maven-upstream: true

    # base URL of the Maven repository to search (env: GRYPE_EXTERNAL_SOURCES_MAVEN_BASE_URL)
    base-url: 'https://search.maven.org/solrsearch/select'

match:
  java:
    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_JAVA_USING_CPES)
    using-cpes: false

  jvm:
    # (env: GRYPE_MATCH_JVM_USING_CPES)
    using-cpes: true

  dotnet:
    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_DOTNET_USING_CPES)
    using-cpes: false

  golang:
    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_GOLANG_USING_CPES)
    using-cpes: false

    # use CPE matching to find vulnerabilities for the Go standard library (env: GRYPE_MATCH_GOLANG_ALWAYS_USE_CPE_FOR_STDLIB)
    always-use-cpe-for-stdlib: true

    # allow comparison between main module pseudo-versions (e.g. v0.0.0-20240413-2b432cf643...) (env: GRYPE_MATCH_GOLANG_ALLOW_MAIN_MODULE_PSEUDO_VERSION_COMPARISON)
    allow-main-module-pseudo-version-comparison: false

  javascript:
    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_JAVASCRIPT_USING_CPES)
    using-cpes: false

  python:
    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_PYTHON_USING_CPES)
    using-cpes: false

  ruby:
    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_RUBY_USING_CPES)
    using-cpes: false

  rust:
    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_RUST_USING_CPES)
    using-cpes: false

  stock:
    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_STOCK_USING_CPES)
    using-cpes: true

# upon scanning, if a severity is found at or above the given severity then the return code will be 1
# default is unset which will skip this validation (options: negligible, low, medium, high, critical) (env: GRYPE_FAIL_ON_SEVERITY)
fail-on-severity: ''

registry:
  # skip TLS verification when communicating with the registry (env: GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY)
  insecure-skip-tls-verify: false

  # use http instead of https when connecting to the registry (env: GRYPE_REGISTRY_INSECURE_USE_HTTP)
  insecure-use-http: false

  # Authentication credentials for specific registries. Each entry describes authentication for a specific authority:
  # -   authority: the registry authority URL the URL to the registry (e.g. "docker.io", "localhost:5000", etc.) (env: SYFT_REGISTRY_AUTH_AUTHORITY)
  #     username: a username if using basic credentials (env: SYFT_REGISTRY_AUTH_USERNAME)
  #     password: a corresponding password (env: SYFT_REGISTRY_AUTH_PASSWORD)
  #     token: a token if using token-based authentication, mutually exclusive with username/password (env: SYFT_REGISTRY_AUTH_TOKEN)
  #     tls-cert: filepath to the client certificate used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_CERT)
  #     tls-key: filepath to the client key used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_KEY)
  auth: []

  # filepath to a CA certificate (or directory containing *.crt, *.cert, *.pem) used to generate the client certificate (env: GRYPE_REGISTRY_CA_CERT)
  ca-cert: ''

# show suppressed/ignored vulnerabilities in the output (only supported with table output format) (env: GRYPE_SHOW_SUPPRESSED)
show-suppressed: false

# orient results by CVE instead of the original vulnerability ID when possible (env: GRYPE_BY_CVE)
by-cve: false

# same as --name; set the name of the target being analyzed (env: GRYPE_NAME)
name: ''

# allows users to specify which image source should be used to generate the sbom
# valid values are: registry, docker, podman (env: GRYPE_DEFAULT_IMAGE_PULL_SOURCE)
default-image-pull-source: ''

# a list of VEX documents to consider when producing scanning results (env: GRYPE_VEX_DOCUMENTS)
vex-documents: []

# VEX statuses to consider as ignored rules (env: GRYPE_VEX_ADD)
vex-add: []

# match kernel-header packages with upstream kernel as kernel vulnerabilities (env: GRYPE_MATCH_UPSTREAM_KERNEL_HEADERS)
match-upstream-kernel-headers: false

# delete downloaded databases after diff occurs (env: GRYPE_DELETE)
delete: false

# format to display results (available=[table, json]) (env: GRYPE_OUTPUT)
Output: 'table'

# CVE IDs to explain (env: GRYPE_CVE_IDS)
cve-ids: []

Dockerfile:

FROM ubuntu:latest

ARG TARGETOS
ARG TARGETARCH

RUN apt-get update

RUN apt-get install -y python3 python3-pip

popey commented 2 weeks ago

Hi @samcornwell - thanks for the question and steps to reproduce; much appreciated! I think I can explain this behavior.

The reason will be revealed if you run grype with an extra v for more verbose output. Jump to the part you're concerned about [0009] INFO ignored 819 vulnerability matches

grype -vv docker:test

You'll find a section with the 819 vulnerability matches, which are subsequently ignored, like this:

[0009]  INFO ignoring 819 matches due to user-provided ignore rules
[0009]  INFO found 888 vulnerability matches across 233 packages
[0009] DEBUG   ├── fixed: 0
[0009] DEBUG   ├── ignored: 0 (due to user-provided rule)
[0009] DEBUG   ├── dropped: 0 (due to hard-coded correction)
[0009] DEBUG   └── matched: 888
[0009] DEBUG       ├── unknown severity: 0
[0009] DEBUG       ├── negligible: 29
[0009] DEBUG       ├── low: 46
[0009] DEBUG       ├── medium: 812
[0009] DEBUG       ├── high: 1
[0009] DEBUG       └── critical: 0
[0009]  INFO ignored 819 vulnerability matches
[0009] DEBUG   ├── package=pkg:deb/ubuntu/linux-libc-dev@6.8.0-48.48?arch=arm64&distro=ubuntu-24.04&upstream=linux rules=1 vuln=CVE-2012-4542
[0009] DEBUG   ├── package=pkg:deb/ubuntu/linux-libc-dev@6.8.0-48.48?arch=arm64&distro=ubuntu-24.04&upstream=linux rules=1 vuln=CVE-2013-7445
[0009] DEBUG   ├── package=pkg:deb/ubuntu/linux-libc-dev@6.8.0-48.48?arch=arm64&distro=ubuntu-24.04&upstream=linux rules=1 vuln=CVE-2015-8553
[0009] DEBUG   ├── package=pkg:deb/ubuntu/linux-libc-dev@6.8.0-48.48?arch=arm64&distro=ubuntu-24.04&upstream=linux rules=1 vuln=CVE-2016-8660
[0009] DEBUG   ├── package=pkg:deb/ubuntu/linux-libc-dev@6.8.0-48.48?arch=arm64&distro=ubuntu-24.04&upstream=linux rules=1 vuln=CVE-2017-0537
[0009] DEBUG   ├── package=pkg:deb/ubuntu/linux-libc-dev@6.8.0-48.48?arch=arm64&distro=ubuntu-24.04&upstream=linux rules=1 vuln=CVE-2017-13165
[0009] DEBUG   ├── package=pkg:deb/ubuntu/linux-libc-dev@6.8.0-48.48?arch=arm64&distro=ubuntu-24.04&upstream=linux rules=1 vuln=CVE-2017-13693

(trimmed for brevity)

Note how these are all in the upstream linux (as in, the kernel), but the match is on the linux-libc-dev package - which contains headers, not the Linux kernel binary code itself.

This was discussed in issue #1762 and implemented in pr #1787 .

You can turn this rule off with this configuration option or environment variable, which defaults to false meaning "Do not match the kernel header packages with upstream kernel vulnerabilities":

# match kernel-header packages with upstream kernel as kernel vulnerabilities (env: GRYPE_MATCH_UPSTREAM_KERNEL_HEADERS)
match-upstream-kernel-headers: false

e.g. (note the number of ignored is 0)

$ GRYPE_MATCH_UPSTREAM_KERNEL_HEADERS=true grype docker:test
3c27d7d7c7fbc5463
 ✔ Loaded image sha256:32932619a696e6d05e451c4970699c111e8b78c8bc36f6d3c27d7d7c7fbc5463
 ✔ Parsed image sha256:32932619a696e6d05e451c4970699c111e8b78c8bc36f6d3c27d7d7c7fbc5463
 ✔ Cataloged contents 6e47fdba5cf2037b40f1ce0129a7ca687d9aba0f1aaf3d5ba4b1acfc3ca3d52b
   ├── ✔ Packages                        [236 packages]
   ├── ✔ File digests                    [9,984 files]
   ├── ✔ File metadata                   [9,984 locations]
   └── ✔ Executables                     [975 executables]
 ✔ Scanned for vulnerabilities     [888 vulnerability matches]
   ├── by severity: 0 critical, 1 high, 812 medium, 46 low, 29 negligible
   └── by status:   0 fixed, 888 not-fixed, 0 ignored

vs the default:

(note the number of ignored matches your initial report)

$ GRYPE_MATCH_UPSTREAM_KERNEL_HEADERS=false grype docker:test
 ✔ Loaded image sha256:32932619a696e6d05e451c4970699c111e8b78c8bc36f6d3c27d7d7c7fbc5463
 ✔ Parsed image sha256:32932619a696e6d05e451c4970699c111e8b78c8bc36f6d3c27d7d7c7fbc5463
 ✔ Cataloged contents 6e47fdba5cf2037b40f1ce0129a7ca687d9aba0f1aaf3d5ba4b1acfc3ca3d52b
   ├── ✔ Packages                        [236 packages]
   ├── ✔ File digests                    [9,984 files]
   ├── ✔ File metadata                   [9,984 locations]
   └── ✔ Executables                     [975 executables]
 ✔ Scanned for vulnerabilities     [888 vulnerability matches]
   ├── by severity: 0 critical, 1 high, 812 medium, 46 low, 29 negligible
   └── by status:   0 fixed, 888 not-fixed, 819 ignored

I hope that explains how it works. If not, feel free to provide more details. If this covers your question enough, please close the issue at your convenience.

Have a great day! 🙏

samcornwell commented 2 weeks ago

Thank you very much for the detailed answer @popey. I think I sort of understand the answer, and I am trying to determine the relevance of these vulnerabilities. Am I right in saying that these vulnerabilities are not relevant in a containerized environment?

popey commented 2 weeks ago

No problem @samcornwell - I think the general feeling is that the vast majority (if not all) of those CVEs relate to the Linux kernel itself - the big binary and all those drivers, not the headers, used by third party developers to build software against the kernel. So it's considered noise that you, as a container consumer, probably don't need to see. However, I'm not a security researcher, or lawyer etc, so it's a decision you need to make, I think. :)

samcornwell commented 2 weeks ago

Thanks again @popey, I will point out that when testing the config file example you listed, I noticed it should be true, not false.

aaronlippold commented 2 weeks ago

@joshbressers thoughts?

joshbressers commented 2 weeks ago

@aaronlippold I'm 100% in favor of this

Kernel headers aren't code, they're headers. One of the difficulties we have when trying to match Linux Distribution data is which built package actually contains the vulnerability in question? The distros don't tell us this, they use the source package name generally.

Here's a better example

When you build emacs, there is a package that gets spit out called "emacs-filesystem". It's just the directory layout for emacs. There's nothing in it

We currently will report it as affected by emacs vulnerabilities today if you have it installed. We don't want to add special conditions for every package like this, so how to solve this better is the question (we're working on it)

The kernel headers were special because all the new kernel vulnerabilities, plus all the kernel headers and you have a silly list of false positives. So we made an exception

anchore / grype

question: Why are CVEs being ignored? #2242